diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-10-29 13:38:00 +0200 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-10-29 13:38:00 +0200 |
commit | eea6a8a17deb384bfe6b9b83462df6cb5f7f17ad (patch) | |
tree | f45090e565e5fd3bacd90070a7cc673d69fa74cf /lib | |
parent | f6491508fe54c75c8db8db17b27d6d7912198a7a (diff) | |
download | gitlab-ce-eea6a8a17deb384bfe6b9b83462df6cb5f7f17ad.tar.gz |
Dont allow guests..developers to manage group members
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/group_members.rb | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/api/group_members.rb b/lib/api/group_members.rb index 24c141e9b71..d596517c816 100644 --- a/lib/api/group_members.rb +++ b/lib/api/group_members.rb @@ -39,14 +39,18 @@ module API # Example Request: # POST /groups/:id/members post ":id/members" do + group = find_group(params[:id]) + authorize! :manage_group, group required_attributes! [:user_id, :access_level] + unless validate_access_level?(params[:access_level]) render_api_error!("Wrong access level", 422) end - group = find_group(params[:id]) + if group.group_members.find_by(user_id: params[:user_id]) render_api_error!("Already exists", 409) end + group.add_users([params[:user_id]], params[:access_level]) member = group.group_members.find_by(user_id: params[:user_id]) present member.user, with: Entities::GroupMember, group: group @@ -62,7 +66,9 @@ module API # DELETE /groups/:id/members/:user_id delete ":id/members/:user_id" do group = find_group(params[:id]) - member = group.group_members.find_by(user_id: params[:user_id]) + authorize! :manage_group, group + member = group.group_members.find_by(user_id: params[:user_id]) + if member.nil? render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404) else |