summaryrefslogtreecommitdiff
path: root/lib/api/internal.rb
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2015-02-23 23:14:57 +0100
committerDouwe Maan <douwe@gitlab.com>2015-03-02 17:52:48 +0100
commitdd37a10df44bd1771aa8b163fd857628d03842d9 (patch)
treed03c778b2fcf3452a58aa678369390c5481d70a5 /lib/api/internal.rb
parent039fd3c5620823d2eab340e6c033954cdbd982eb (diff)
downloadgitlab-ce-dd37a10df44bd1771aa8b163fd857628d03842d9.tar.gz
Don't leak information about private project existence via Git-over-SSH/HTTP.
Diffstat (limited to 'lib/api/internal.rb')
-rw-r--r--lib/api/internal.rb39
1 files changed, 22 insertions, 17 deletions
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index ba3fe619b92..753d0fcbd98 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -16,6 +16,17 @@ module API
#
post "/allowed" do
status 200
+
+ actor = if params[:key_id]
+ Key.find_by(id: params[:key_id])
+ elsif params[:user_id]
+ User.find_by(id: params[:user_id])
+ end
+
+ unless actor
+ return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+ end
+
project_path = params[:project]
# Check for *.wiki repositories.
@@ -32,26 +43,20 @@ module API
project = Project.find_with_namespace(project_path)
- unless project
- return Gitlab::GitAccessStatus.new(false, 'No such project')
+ if project
+ status = access.check(
+ actor,
+ params[:action],
+ project,
+ params[:changes]
+ )
end
- actor = if params[:key_id]
- Key.find_by(id: params[:key_id])
- elsif params[:user_id]
- User.find_by(id: params[:user_id])
- end
-
- unless actor
- return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+ if project && status && status.allowed?
+ status
+ else
+ Gitlab::GitAccessStatus.new(false, 'No such project')
end
-
- access.check(
- actor,
- params[:action],
- project,
- params[:changes]
- )
end
#
View Lorry Controller Status