API: fixes visibility of project hook

When a user is not authorized to see the list of hooks for a project, he is still able to access the hooks separately. For example if access to `GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`. Fixes access, also added tests to check access and status codes of hooks.

API: fixes visibility of project hook
When a user is not authorized to see the list of hooks for a project, he is still able to access the hooks separately. For example if access to `GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`. Fixes access, also added tests to check access and status codes of hooks.
e9d3b965 · Sebastian Ziebell · ed3f4408 · e9d3b965 · e9d3b965
Commit e9d3b965 authored Feb 16, 2013 by Sebastian Ziebell
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 10 deletions

lib/api/projects.rb lib/api/projects.rb +1 -0

spec/requests/api/projects_spec.rb spec/requests/api/projects_spec.rb +32 -10

No files found.
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -155,6 +155,7 @@ module Gitlab
      # Example Request:
      #   GET /projects/:id/hooks/:hook_id
      get ":id/hooks/:hook_id" do
+        authorize! :admin_project, user_project
        @hook = user_project.hooks.find(params[:hook_id])
        present @hook, with: Entities::Hook
      end

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -196,22 +196,44 @@ describe Gitlab::API do
  end
  describe "GET /projects/:id/hooks" do
-    it "should return project hooks" do
+    context "authorized user" do
-      get api("/projects/#{project.id}/hooks", user)
+      it "should return project hooks" do
+        get api("/projects/#{project.id}/hooks", user)
+        response.status.should == 200
-      response.status.should == 200
+        json_response.should be_an Array
+        json_response.count.should == 1
+        json_response.first['url'].should == "http://example.com"
+      end
+    end
-      json_response.should be_an Array
+    context "unauthorized user" do
-      json_response.count.should == 1
+      it "should not access project hooks" do
-      json_response.first['url'].should == "http://example.com"
+        get api("/projects/#{project.id}/hooks", user3)
+        response.status.should == 403
+      end
    end
  end
  describe "GET /projects/:id/hooks/:hook_id" do
-    it "should return a project hook" do
+    context "authorized user" do
-      get api("/projects/#{project.id}/hooks/#{hook.id}", user)
+      it "should return a project hook" do
-      response.status.should == 200
+        get api("/projects/#{project.id}/hooks/#{hook.id}", user)
-      json_response['url'].should == hook.url
+        response.status.should == 200
+        json_response['url'].should == hook.url
+      end
+      it "should return a 404 error if hook id is not available" do
+        get api("/projects/#{project.id}/hooks/1234", user)
+        response.status.should == 404
+      end
+    end
+    context "unauthorized user" do
+      it "should not access an existing hook" do
+        get api("/projects/#{project.id}/hooks/#{hook.id}", user3)
+        response.status.should == 403
+      end
    end
  end