Commit b2f48d8c authored by Robert Schilling's avatar Robert Schilling

API: Return 404 if user does not have access to group

parent 6bb71869
......@@ -40,6 +40,7 @@ v 8.7.0 (unreleased)
- Fix admin/projects when using visibility levels on search (PotHix)
- Build status notifications
- API: Expose user location (Robert Schilling)
- API: Do not leak group existence via return code (Robert Schilling)
- ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
- Update number of Todos in the sidebar when it's marked as "Done". !3600
- API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)
......
......@@ -91,8 +91,7 @@ module API
if can?(current_user, :read_group, group)
group
else
forbidden!("#{current_user.username} lacks sufficient "\
"access to #{group.name}")
not_found!('Group')
end
end
......
......@@ -61,7 +61,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
end
......@@ -92,7 +93,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
end
end
......@@ -157,7 +159,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}/projects", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
end
......@@ -189,7 +192,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}/projects", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
end
end
......@@ -247,7 +251,8 @@ describe API::API, api: true do
it "should not remove a group not attached to user1" do
delete api("/groups/#{group2.id}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment