API: Introduce `#find_group!` which also check access permission

Signed-off-by: Rémy Coutable <remy@rymai.me>

API: Introduce `#find_group!` which also check access permission
Signed-off-by: Rémy Coutable <remy@rymai.me>
81ba3f91 · Rémy Coutable · 4f5ed812 · 81ba3f91 · 81ba3f91 · 81ba3f91
Commit 81ba3f91 authored Nov 24, 2016 by Rémy Coutable
Showing with 15 additions and 7 deletions

lib/api/groups.rb lib/api/groups.rb +4 -4

lib/api/helpers.rb lib/api/helpers.rb +9 -1

lib/api/helpers/members_helpers.rb lib/api/helpers/members_helpers.rb +1 -1

lib/api/issues.rb lib/api/issues.rb +1 -1

No files found.
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -82,7 +82,7 @@ module API
                        :lfs_enabled, :request_access_enabled
      end
      put ':id' do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        authorize! :admin_group, group

        if ::Groups::UpdateService.new(group, current_user, declared_params(include_missing: false)).execute
@@ -96,13 +96,13 @@ module API
        success Entities::GroupDetail
      end
      get ":id" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        present group, with: Entities::GroupDetail
      end

      desc 'Remove a group.'
      delete ":id" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        authorize! :admin_group, group
        DestroyGroupService.new(group, current_user).execute
      end
@@ -111,7 +111,7 @@ module API
        success Entities::Project
      end
      get ":id/projects" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        projects = GroupProjectsFinder.new(group).execute(current_user)
        projects = paginate projects
        present projects, with: Entities::Project, user: current_user

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -105,7 +105,15 @@ module API
    end

    def find_group(id)
-      group = Group.find_by(path: id) || Group.find_by(id: id)
+      if id =~ /^\d+$/
+        Group.find_by(id: id)
+      else
+        Group.find_by(path: id)
+      end
+    end
+
+    def find_group!(id)
+      group = find_group(id)

      if can?(current_user, :read_group, group)
        group

--- a/lib/api/helpers/members_helpers.rb
+++ b/lib/api/helpers/members_helpers.rb
@@ -2,7 +2,7 @@ module API
  module Helpers
    module MembersHelpers
      def find_source(source_type, id)
-        public_send("find_#{source_type}", id)
+        public_send("find_#{source_type}!", id)
      end

      def authorize_admin_source!(source_type, source)

--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -68,7 +68,7 @@ module API
      #   GET /groups/:id/issues?milestone=1.0.0
      #   GET /groups/:id/issues?milestone=1.0.0&state=closed
      get ":id/issues" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])

        params[:state] ||= 'opened'
        params[:group_id] = group.id