BigW Consortium Gitlab

Commit 25e4c512 by Dmitriy Zaporozhets

Merge pull request #3011 from Asquera/fix_access_to_nonvisible_hook

API: fixes visibility of project hook
parents c56d32c7 e9d3b965
......@@ -155,6 +155,7 @@ module Gitlab
# Example Request:
# GET /projects/:id/hooks/:hook_id
get ":id/hooks/:hook_id" do
authorize! :admin_project, user_project
@hook = user_project.hooks.find(params[:hook_id])
present @hook, with: Entities::Hook
end
......
......@@ -196,9 +196,9 @@ describe Gitlab::API do
end
describe "GET /projects/:id/hooks" do
context "authorized user" do
it "should return project hooks" do
get api("/projects/#{project.id}/hooks", user)
response.status.should == 200
json_response.should be_an Array
......@@ -207,12 +207,34 @@ describe Gitlab::API do
end
end
context "unauthorized user" do
it "should not access project hooks" do
get api("/projects/#{project.id}/hooks", user3)
response.status.should == 403
end
end
end
describe "GET /projects/:id/hooks/:hook_id" do
context "authorized user" do
it "should return a project hook" do
get api("/projects/#{project.id}/hooks/#{hook.id}", user)
response.status.should == 200
json_response['url'].should == hook.url
end
it "should return a 404 error if hook id is not available" do
get api("/projects/#{project.id}/hooks/1234", user)
response.status.should == 404
end
end
context "unauthorized user" do
it "should not access an existing hook" do
get api("/projects/#{project.id}/hooks/#{hook.id}", user3)
response.status.should == 403
end
end
end
describe "POST /projects/:id/hooks" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment