diff options
author | Rémy Coutable <remy@rymai.me> | 2016-11-24 14:40:35 +0100 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-11-24 14:40:35 +0100 |
commit | 4f5ed812325845f263fc9b566651c1179b5c24bc (patch) | |
tree | 8d05ddcc43dd0c69d38c37ac9d0fc6e214a8087f | |
parent | 304163becba3610a99dfff644c13972a2f54ed3b (diff) | |
download | gitlab-ce-4f5ed812325845f263fc9b566651c1179b5c24bc.tar.gz |
API: Introduce `#find_project!` which also check access permission
Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r-- | lib/api/helpers.rb | 17 | ||||
-rw-r--r-- | lib/api/projects.rb | 2 |
2 files changed, 11 insertions, 8 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 60067758e95..42f4c2ccf9d 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -68,7 +68,7 @@ module API end def user_project - @project ||= find_project(params[:id]) + @project ||= find_project!(params[:id]) end def available_labels @@ -76,12 +76,15 @@ module API end def find_project(id) - project = - if id =~ /^\d+$/ - Project.find_by(id: id) - else - Project.find_with_namespace(id) - end + if id =~ /^\d+$/ + Project.find_by(id: id) + else + Project.find_with_namespace(id) + end + end + + def find_project!(id) + project = find_project(id) if can?(current_user, :read_project, project) project diff --git a/lib/api/projects.rb b/lib/api/projects.rb index ddfde178d30..2ea3c433ae2 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -379,7 +379,7 @@ module API # POST /projects/:id/fork/:forked_from_id post ":id/fork/:forked_from_id" do authenticated_as_admin! - forked_from_project = find_project(params[:forked_from_id]) + forked_from_project = find_project!(params[:forked_from_id]) unless forked_from_project.nil? if user_project.forked_from_project.nil? user_project.create_forked_project_link(forked_to_project_id: user_project.id, forked_from_project_id: forked_from_project.id) |