API: Introduce `#find_project!` which also check access permission

Signed-off-by: Rémy Coutable <remy@rymai.me>

2 files changed, 11 insertions, 8 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 60067758e95..42f4c2ccf9d 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -68,7 +68,7 @@ module API
     end
 
     def user_project
-      @project ||= find_project(params[:id])
+      @project ||= find_project!(params[:id])
     end
 
     def available_labels
@@ -76,12 +76,15 @@ module API
     end
 
     def find_project(id)
-      project =
-        if id =~ /^\d+$/
-          Project.find_by(id: id)
-        else
-          Project.find_with_namespace(id)
-        end
+      if id =~ /^\d+$/
+        Project.find_by(id: id)
+      else
+        Project.find_with_namespace(id)
+      end
+    end
+
+    def find_project!(id)
+      project = find_project(id)
 
       if can?(current_user, :read_project, project)
         project
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index ddfde178d30..2ea3c433ae2 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -379,7 +379,7 @@ module API
       #   POST /projects/:id/fork/:forked_from_id
       post ":id/fork/:forked_from_id" do
         authenticated_as_admin!
-        forked_from_project = find_project(params[:forked_from_id])
+        forked_from_project = find_project!(params[:forked_from_id])
         unless forked_from_project.nil?
           if user_project.forked_from_project.nil?
             user_project.create_forked_project_link(forked_to_project_id: user_project.id, forked_from_project_id: forked_from_project.id)