deac/gitlabhq
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

API: fixes visibility of project hook

Browse source 
When a user is not authorized to see the list of hooks for a project, he is
still able to access the hooks separately. For example if access to
`GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is
still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`.

Fixes access, also added tests to check access and status codes of hooks.
This commit is contained in:
Sebastian Ziebell 2013-02-16 14:42:49 +01:00
parent ed3f44085e
commit e9d3b96595
2 changed files with 33 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/api/projects.rb
View file

@ -155,6 +155,7 @@ module Gitlab
# Example Request: # Example Request:
# GET /projects/:id/hooks/:hook_id # GET /projects/:id/hooks/:hook_id
get ":id/hooks/:hook_id" do get ":id/hooks/:hook_id" do
authorize! :admin_project, user_project
@hook = user_project.hooks.find(params[:hook_id]) @hook = user_project.hooks.find(params[:hook_id])
present @hook, with: Entities::Hook present @hook, with: Entities::Hook
end end

42
spec/requests/api/projects_spec.rb
View file

@ -196,22 +196,44 @@ describe Gitlab::API do
end end
describe "GET /projects/:id/hooks" do describe "GET /projects/:id/hooks" do
it "should return project hooks" do context "authorized user" do
get api("/projects/#{project.id}/hooks", user) it "should return project hooks" do
get api("/projects/#{project.id}/hooks", user)
response.status.should == 200
response.status.should == 200 json_response.should be_an Array
json_response.count.should == 1
json_response.first['url'].should == "http://example.com"
end
end
json_response.should be_an Array context "unauthorized user" do
json_response.count.should == 1 it "should not access project hooks" do
json_response.first['url'].should == "http://example.com" get api("/projects/#{project.id}/hooks", user3)
response.status.should == 403
end
end end
end end
describe "GET /projects/:id/hooks/:hook_id" do describe "GET /projects/:id/hooks/:hook_id" do
it "should return a project hook" do context "authorized user" do
get api("/projects/#{project.id}/hooks/#{hook.id}", user) it "should return a project hook" do
response.status.should == 200 get api("/projects/#{project.id}/hooks/#{hook.id}", user)
json_response['url'].should == hook.url response.status.should == 200
json_response['url'].should == hook.url
end
it "should return a 404 error if hook id is not available" do
get api("/projects/#{project.id}/hooks/1234", user)
response.status.should == 404
end
end
context "unauthorized user" do
it "should not access an existing hook" do
get api("/projects/#{project.id}/hooks/#{hook.id}", user3)
response.status.should == 403
end
end end
end end