Merge branch 'fix-project-hook-delete-permissions' into 'master'

Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959
author: Rémy Coutable <remy@gitlab.com> 2016-04-25 09:26:58 +0000
committer: Rémy Coutable <remy@gitlab.com> 2016-04-25 09:26:58 +0000
commit: 41aa7a89fbe2f35d4a3b66bb55a98f224adc837c (patch)
tree: b9886420a1ff8884ede2fcb1263e7bc32dbe9181 /lib
parent: 2eee6a0cbc02c80eb0750a7ca77ee31c4cf0884f (diff)
parent: 9413dd80f57aea6a1f3a1a0fe26b76c9fad0661c (diff)
download: gitlab-ce-41aa7a89fbe2f35d4a3b66bb55a98f224adc837c.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/api/project_hooks.rb b/lib/api/project_hooks.rb
index cf9938d25a7..ccca65cbe1c 100644
--- a/lib/api/project_hooks.rb
+++ b/lib/api/project_hooks.rb
@@ -103,10 +103,10 @@ module API
         required_attributes! [:hook_id]
 
         begin
-          @hook = ProjectHook.find(params[:hook_id])
-          @hook.destroy
+          @hook = user_project.hooks.destroy(params[:hook_id])
         rescue
           # ProjectHook can raise Error if hook_id not found
+          not_found!("Error deleting hook #{params[:hook_id]}")
         end
       end
     end
author	Rémy Coutable <remy@gitlab.com>	2016-04-25 09:26:58 +0000
committer	Rémy Coutable <remy@gitlab.com>	2016-04-25 09:26:58 +0000
commit	41aa7a89fbe2f35d4a3b66bb55a98f224adc837c (patch)
tree	b9886420a1ff8884ede2fcb1263e7bc32dbe9181 /lib
parent	2eee6a0cbc02c80eb0750a7ca77ee31c4cf0884f (diff)
parent	9413dd80f57aea6a1f3a1a0fe26b76c9fad0661c (diff)
download	gitlab-ce-41aa7a89fbe2f35d4a3b66bb55a98f224adc837c.tar.gz