diff options
| author | Nick Thomas <nick@gitlab.com> | 2018-01-17 14:30:07 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2018-01-17 14:30:07 +0000 |
| commit | 1a3bcc76ea14dda52447a517122117942914ecac (patch) | |
| tree | 25ab2c54087e2ee098156f99462460bed39c35de | |
| parent | f17d7a4beef61d0156865f1a9070fb53c8f05c99 (diff) | |
| download | gitlab-ce-1a3bcc76ea14dda52447a517122117942914ecac.tar.gz | |
Fix the user-agent detail API endpoint for project snippets
| -rw-r--r-- | doc/api/project_snippets.md | 9 | ||||
| -rw-r--r-- | lib/api/project_snippets.rb | 2 | ||||
| -rw-r--r-- | spec/requests/api/project_snippets_spec.rb | 13 |
3 files changed, 16 insertions, 8 deletions
diff --git a/doc/api/project_snippets.md b/doc/api/project_snippets.md index ad2521230e6..cc495c5d091 100644 --- a/doc/api/project_snippets.md +++ b/doc/api/project_snippets.md @@ -131,12 +131,13 @@ Available only for admins. GET /projects/:id/snippets/:snippet_id/user_agent_detail ``` -| Attribute | Type | Required | Description | -|-------------|---------|----------|--------------------------------------| -| `id` | Integer | yes | The ID of a snippet | +| Attribute | Type | Required | Description | +|---------------|---------|----------|--------------------------------------| +| `id` | Integer | yes | The ID of a project | +| `snippet_id` | Integer | yes | The ID of a snippet | ```bash -curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/1/user_agent_detail +curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/2/user_agent_detail ``` Example response: diff --git a/lib/api/project_snippets.rb b/lib/api/project_snippets.rb index 5bed58c2d63..39c03c40bab 100644 --- a/lib/api/project_snippets.rb +++ b/lib/api/project_snippets.rb @@ -143,7 +143,7 @@ module API get ":id/snippets/:snippet_id/user_agent_detail" do authenticated_as_admin! - snippet = Snippet.find_by!(id: params[:id]) + snippet = Snippet.find_by!(id: params[:snippet_id], project_id: params[:id]) return not_found!('UserAgentDetail') unless snippet.user_agent_detail diff --git a/spec/requests/api/project_snippets_spec.rb b/spec/requests/api/project_snippets_spec.rb index e741ac4b7bd..4a2289ca137 100644 --- a/spec/requests/api/project_snippets_spec.rb +++ b/spec/requests/api/project_snippets_spec.rb @@ -1,9 +1,9 @@ require 'rails_helper' describe API::ProjectSnippets do - let(:project) { create(:project, :public) } - let(:user) { create(:user) } - let(:admin) { create(:admin) } + set(:project) { create(:project, :public) } + set(:user) { create(:user) } + set(:admin) { create(:admin) } describe "GET /projects/:project_id/snippets/:id/user_agent_detail" do let(:snippet) { create(:project_snippet, :public, project: project) } @@ -18,6 +18,13 @@ describe API::ProjectSnippets do expect(json_response['akismet_submitted']).to eq(user_agent_detail.submitted) end + it 'respects project scoping' do + other_project = create(:project) + + get api("/projects/#{other_project.id}/snippets/#{snippet.id}/user_agent_detail", admin) + expect(response).to have_gitlab_http_status(404) + end + it "returns unautorized for non-admin users" do get api("/projects/#{snippet.project.id}/snippets/#{snippet.id}/user_agent_detail", user) |