diff options
| author | Robert Schilling <rschilling@student.tugraz.at> | 2016-04-12 21:34:24 +0200 |
|---|---|---|
| committer | Robert Schilling <rschilling@student.tugraz.at> | 2016-04-13 11:11:09 +0200 |
| commit | b2f48d8c46cebcf2a576c18b661c3481b3450f3b (patch) | |
| tree | 2586e6672f6b3b58bdc26b31d85099074528a43a | |
| parent | 6bb71869b8c003e9e880646afa35050821e7dac9 (diff) | |
| download | gitlab-ce-b2f48d8c46cebcf2a576c18b661c3481b3450f3b.tar.gz | |
API: Return 404 if user does not have access to group
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | lib/api/helpers.rb | 3 | ||||
| -rw-r--r-- | spec/requests/api/groups_spec.rb | 15 |
3 files changed, 12 insertions, 7 deletions
diff --git a/CHANGELOG b/CHANGELOG index f3fc54219e4..77a88714517 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -40,6 +40,7 @@ v 8.7.0 (unreleased) - Fix admin/projects when using visibility levels on search (PotHix) - Build status notifications - API: Expose user location (Robert Schilling) + - API: Do not leak group existence via return code (Robert Schilling) - ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591 - Update number of Todos in the sidebar when it's marked as "Done". !3600 - API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling) diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 4921ae99e78..96af7d7675c 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -91,8 +91,7 @@ module API if can?(current_user, :read_group, group) group else - forbidden!("#{current_user.username} lacks sufficient "\ - "access to #{group.name}") + not_found!('Group') end end diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 7383c7d11aa..083d5c459c6 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -61,7 +61,8 @@ describe API::API, api: true do it "should not return a group not attached to user1" do get api("/groups/#{group2.id}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end @@ -92,7 +93,8 @@ describe API::API, api: true do it 'should not return a group not attached to user1' do get api("/groups/#{group2.path}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end end @@ -157,7 +159,8 @@ describe API::API, api: true do it "should not return a group not attached to user1" do get api("/groups/#{group2.id}/projects", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end @@ -189,7 +192,8 @@ describe API::API, api: true do it 'should not return a group not attached to user1' do get api("/groups/#{group2.path}/projects", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end end @@ -247,7 +251,8 @@ describe API::API, api: true do it "should not remove a group not attached to user1" do delete api("/groups/#{group2.id}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end |