Improve vulnerability API

5b3cdef1 · Robert Schilling · 21c17c0f · 5b3cdef1 · 5b3cdef1 · 5b3cdef1
Commit 5b3cdef1 authored May 16, 2019 by Robert Schilling
3 changed files
--- a/ee/changelogs/unreleased/vulnerability-api-improvement.yml
+++ b/ee/changelogs/unreleased/vulnerability-api-improvement.yml
+---
+title: Improve vulnerability API
+merge_request: 12760
+author: Robert Schilling
+type: other
--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -43,12 +43,10 @@ module API
      end

      get ':id/vulnerabilities' do
-        project = Project.find(params[:id])
-
-        not_found!('Project') unless project && can?(current_user, :read_project_security_dashboard, project)
+        authorize! :read_project_security_dashboard, user_project

        vulnerability_occurrences = Kaminari.paginate_array(
-          vulnerability_occurrences_by(declared_params.merge(project: project))
+          vulnerability_occurrences_by(declared_params.merge(project: user_project))
        )

        present paginate(vulnerability_occurrences),

--- a/ee/spec/requests/api/vulnerabilities_spec.rb
+++ b/ee/spec/requests/api/vulnerabilities_spec.rb
@@ -114,16 +114,18 @@ describe API::Vulnerabilities do
        stub_licensed_features(security_dashboard: false, sast: true, dependency_scanning: true, container_scanning: true)
      end

-      it 'responds with 404 Not Found' do
+      it 'responds with 403 Forbidden' do
        get api("/projects/#{project.id}/vulnerabilities", user)

-        expect(response).to have_gitlab_http_status(404)
+        expect(response).to have_gitlab_http_status(403)
      end
    end

-    context 'with unauthorized user' do
+    context 'with no project access' do
      it 'responds with 404 Not Found' do
-        get api("/projects/#{project.id}/vulnerabilities", user)
+        private_project = create(:project)
+
+        get api("/projects/#{private_project.id}/vulnerabilities", user)

        expect(response).to have_gitlab_http_status(404)
      end