API: fixes visibility of project hook
When a user is not authorized to see the list of hooks for a project, he is still able to access the hooks separately. For example if access to `GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`. Fixes access, also added tests to check access and status codes of hooks.
This commit is contained in:
parent
ed3f44085e
commit
e9d3b96595
2 changed files with 33 additions and 10 deletions
|
@ -155,6 +155,7 @@ module Gitlab
|
||||||
# Example Request:
|
# Example Request:
|
||||||
# GET /projects/:id/hooks/:hook_id
|
# GET /projects/:id/hooks/:hook_id
|
||||||
get ":id/hooks/:hook_id" do
|
get ":id/hooks/:hook_id" do
|
||||||
|
authorize! :admin_project, user_project
|
||||||
@hook = user_project.hooks.find(params[:hook_id])
|
@hook = user_project.hooks.find(params[:hook_id])
|
||||||
present @hook, with: Entities::Hook
|
present @hook, with: Entities::Hook
|
||||||
end
|
end
|
||||||
|
|
|
@ -196,9 +196,9 @@ describe Gitlab::API do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "GET /projects/:id/hooks" do
|
describe "GET /projects/:id/hooks" do
|
||||||
|
context "authorized user" do
|
||||||
it "should return project hooks" do
|
it "should return project hooks" do
|
||||||
get api("/projects/#{project.id}/hooks", user)
|
get api("/projects/#{project.id}/hooks", user)
|
||||||
|
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
|
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
|
@ -207,12 +207,34 @@ describe Gitlab::API do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "unauthorized user" do
|
||||||
|
it "should not access project hooks" do
|
||||||
|
get api("/projects/#{project.id}/hooks", user3)
|
||||||
|
response.status.should == 403
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "GET /projects/:id/hooks/:hook_id" do
|
describe "GET /projects/:id/hooks/:hook_id" do
|
||||||
|
context "authorized user" do
|
||||||
it "should return a project hook" do
|
it "should return a project hook" do
|
||||||
get api("/projects/#{project.id}/hooks/#{hook.id}", user)
|
get api("/projects/#{project.id}/hooks/#{hook.id}", user)
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['url'].should == hook.url
|
json_response['url'].should == hook.url
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should return a 404 error if hook id is not available" do
|
||||||
|
get api("/projects/#{project.id}/hooks/1234", user)
|
||||||
|
response.status.should == 404
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context "unauthorized user" do
|
||||||
|
it "should not access an existing hook" do
|
||||||
|
get api("/projects/#{project.id}/hooks/#{hook.id}", user3)
|
||||||
|
response.status.should == 403
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "POST /projects/:id/hooks" do
|
describe "POST /projects/:id/hooks" do
|
||||||
|
|
Loading…
Reference in a new issue