API: Return 404 if user does not have access to group

b2f48d8c · Robert Schilling · 6bb71869 · b2f48d8c · b2f48d8c · b2f48d8c
Commit b2f48d8c authored Apr 12, 2016 by Robert Schilling
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 7 deletions

CHANGELOG CHANGELOG +1 -0

lib/api/helpers.rb lib/api/helpers.rb +1 -2

spec/requests/api/groups_spec.rb spec/requests/api/groups_spec.rb +10 -5

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -40,6 +40,7 @@ v 8.7.0 (unreleased)
  - Fix admin/projects when using visibility levels on search (PotHix)
  - Build status notifications
  - API: Expose user location (Robert Schilling)
+  - API: Do not leak group existence via return code (Robert Schilling)
  - ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
  - Update number of Todos in the sidebar when it's marked as "Done". !3600
  - API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -91,8 +91,7 @@ module API
      if can?(current_user, :read_group, group)
        group
      else
-        forbidden!("#{current_user.username} lacks sufficient "\
-        "access to #{group.name}")
+        not_found!('Group')
      end
    end


--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -61,7 +61,8 @@ describe API::API, api: true  do

      it "should not return a group not attached to user1" do
        get api("/groups/#{group2.id}", user1)
-        expect(response.status).to eq(403)
+
+        expect(response.status).to eq(404)
      end
    end

@@ -92,7 +93,8 @@ describe API::API, api: true  do

      it 'should not return a group not attached to user1' do
        get api("/groups/#{group2.path}", user1)
-        expect(response.status).to eq(403)
+
+        expect(response.status).to eq(404)
      end
    end
  end
@@ -157,7 +159,8 @@ describe API::API, api: true  do

      it "should not return a group not attached to user1" do
        get api("/groups/#{group2.id}/projects", user1)
-        expect(response.status).to eq(403)
+
+        expect(response.status).to eq(404)
      end
    end

@@ -189,7 +192,8 @@ describe API::API, api: true  do

      it 'should not return a group not attached to user1' do
        get api("/groups/#{group2.path}/projects", user1)
-        expect(response.status).to eq(403)
+
+        expect(response.status).to eq(404)
      end
    end
  end
@@ -247,7 +251,8 @@ describe API::API, api: true  do

      it "should not remove a group not attached to user1" do
        delete api("/groups/#{group2.id}", user1)
-        expect(response.status).to eq(403)
+
+        expect(response.status).to eq(404)
      end
    end