diff options
author | Rémy Coutable <remy@rymai.me> | 2016-09-21 16:40:46 +0200 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-21 19:06:41 +0200 |
commit | 8ffef5ecaff3bad2d86c313ae9b00f86ab7a7dfc (patch) | |
tree | 2ec0076566252492cf1e2049bbfefa034860bed2 | |
parent | b3efa39762336ffd0ed36a79be515cac368f5591 (diff) | |
download | gitlab-ce-22417-api-fork-fix.tar.gz |
API: Return 404 when trying to fork to unaccessible namespace22417-api-fork-fix
Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r-- | lib/api/projects.rb | 4 | ||||
-rw-r--r-- | spec/requests/api/fork_spec.rb | 4 |
2 files changed, 5 insertions, 3 deletions
diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 5eb83c2c8f8..6d99617b56f 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -207,7 +207,9 @@ module API if namespace_id.present? namespace = Namespace.find_by(id: namespace_id) || Namespace.find_by_path_or_name(namespace_id) - not_found!('Target Namespace') unless namespace + unless namespace && can?(current_user, :create_projects, namespace) + not_found!('Target Namespace') + end attrs[:namespace] = namespace end diff --git a/spec/requests/api/fork_spec.rb b/spec/requests/api/fork_spec.rb index 06e3a2183c0..34f84f78952 100644 --- a/spec/requests/api/fork_spec.rb +++ b/spec/requests/api/fork_spec.rb @@ -94,7 +94,7 @@ describe API::API, api: true do it 'fails if trying to fork to another user when not admin' do post api("/projects/fork/#{project.id}", user2), namespace: admin.namespace.id - expect(response).to have_http_status(409) + expect(response).to have_http_status(404) end it 'fails if trying to fork to non-existent namespace' do @@ -114,7 +114,7 @@ describe API::API, api: true do it 'fails to fork to not owned group' do post api("/projects/fork/#{project.id}", user2), namespace: group.name - expect(response).to have_http_status(409) + expect(response).to have_http_status(404) end it 'forks to not owned group when admin' do |