Change HTTP Status Code when repository disabled

6 files changed, 29 insertions, 14 deletions

diff --git a/changelogs/unreleased/50834-change-http-status-code-when-repository-disabled.yml b/changelogs/unreleased/50834-change-http-status-code-when-repository-disabled.yml
new file mode 100644
index 00000000000..b51079d5c74
--- /dev/null
+++ b/changelogs/unreleased/50834-change-http-status-code-when-repository-disabled.yml
@@ -0,0 +1,5 @@
+---
+title: "Changed HTTP Status Code for disabled repository on /branches and /commits to 404"
+merge_request: 29585
+author: Sam Battalio
+type: changed
diff --git a/lib/api/branches.rb b/lib/api/branches.rb
index 65d7f68bbf9..c3821630b6b 100644
--- a/lib/api/branches.rb
+++ b/lib/api/branches.rb
@@ -8,7 +8,10 @@ module API
 
     BRANCH_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(branch: API::NO_SLASH_URL_PART_REGEX)
 
-    before { authorize! :download_code, user_project }
+    before do
+      require_repository_enabled!
+      authorize! :download_code, user_project
+    end
 
     helpers do
       params :filter_params do
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 80913f4ca07..eebded87ebc 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -6,7 +6,10 @@ module API
   class Commits < Grape::API
     include PaginationParams
 
-    before { authorize! :download_code, user_project }
+    before do
+      require_repository_enabled!
+      authorize! :download_code, user_project
+    end
 
     helpers do
       def user_access
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 6382d295f79..8ae42c6dadd 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -250,6 +250,10 @@ module API
       authorize! :update_build, user_project
     end
 
+    def require_repository_enabled!(subject = :global)
+      not_found!("Repository") unless user_project.feature_available?(:repository, current_user)
+    end
+
     def require_gitlab_workhorse!
       unless env['HTTP_GITLAB_WORKHORSE'].present?
         forbidden!('Request should be executed via GitLab Workhorse')
diff --git a/spec/requests/api/branches_spec.rb b/spec/requests/api/branches_spec.rb
index 8b503777443..f9c8b42afa8 100644
--- a/spec/requests/api/branches_spec.rb
+++ b/spec/requests/api/branches_spec.rb
@@ -65,7 +65,7 @@ describe API::Branches do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { get api(route, current_user) }
         end
       end
@@ -175,7 +175,7 @@ describe API::Branches do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { get api(route, current_user) }
         end
       end
@@ -337,7 +337,7 @@ describe API::Branches do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { put api(route, current_user) }
         end
       end
@@ -471,7 +471,7 @@ describe API::Branches do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { put api(route, current_user) }
         end
       end
@@ -547,7 +547,7 @@ describe API::Branches do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { post api(route, current_user) }
         end
       end
diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index f104da6ebba..3df5d9412f8 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -736,7 +736,7 @@ describe API::Commits do
     context 'when repository is disabled' do
       include_context 'disabled repository'
 
-      it_behaves_like '403 response' do
+      it_behaves_like '404 response' do
         let(:request) { get api(route, current_user) }
       end
     end
@@ -825,7 +825,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { get api(route, current_user) }
         end
       end
@@ -968,7 +968,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { get api(route, current_user) }
         end
       end
@@ -1067,7 +1067,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { get api(route, current_user) }
         end
       end
@@ -1169,7 +1169,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { post api(route, current_user), params: { branch: 'master' } }
         end
       end
@@ -1324,7 +1324,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { post api(route, current_user), params: { branch: branch } }
         end
       end
@@ -1435,7 +1435,7 @@ describe API::Commits do
       context 'when repository is disabled' do
         include_context 'disabled repository'
 
-        it_behaves_like '403 response' do
+        it_behaves_like '404 response' do
           let(:request) { post api(route, current_user), params: { note: 'My comment' } }
         end
       end