summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2017-01-19 17:11:48 +0000
committerRobert Speicher <rspeicher@gmail.com>2017-01-23 13:41:58 -0500
commit60d1dcb83ac97e3d0dfd9cdf0daa970671ba3d68 (patch)
treed85bd3d2d1176060b265b96e2f1182fb77f26138
parent30d5e9fa54e0beacfb9b28c307543ff359f17668 (diff)
downloadgitlab-ce-60d1dcb83ac97e3d0dfd9cdf0daa970671ba3d68.tar.gz
Merge branch 'fix-users-deleting-public-deployment-keys' into 'security'
Fix users being able to delete instance public deployment keys See merge request !2049
-rw-r--r--changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml4
-rw-r--r--lib/api/deploy_keys.rb10
2 files changed, 11 insertions, 3 deletions
diff --git a/changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml b/changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml
new file mode 100644
index 00000000000..c9edd1de86c
--- /dev/null
+++ b/changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml
@@ -0,0 +1,4 @@
+---
+title: Prevent users from deleting system deploy keys via the project deploy key API
+merge_request:
+author:
diff --git a/lib/api/deploy_keys.rb b/lib/api/deploy_keys.rb
index 85360730841..f6cb17bafd8 100644
--- a/lib/api/deploy_keys.rb
+++ b/lib/api/deploy_keys.rb
@@ -105,15 +105,19 @@ module API
present key.deploy_key, with: Entities::SSHKey
end
- desc 'Delete existing deploy key of currently authenticated user' do
+ desc 'Delete deploy key for a project' do
success Key
end
params do
requires :key_id, type: Integer, desc: 'The ID of the deploy key'
end
delete ":id/#{path}/:key_id" do
- key = user_project.deploy_keys.find(params[:key_id])
- key.destroy
+ key = user_project.deploy_keys_projects.find_by(deploy_key_id: params[:key_id])
+ if key
+ key.destroy
+ else
+ not_found!('Deploy Key')
+ end
end
end
end