From 1a3bcc76ea14dda52447a517122117942914ecac Mon Sep 17 00:00:00 2001
From: Nick Thomas <nick@gitlab.com>
Date: Wed, 17 Jan 2018 14:30:07 +0000
Subject: [PATCH] Fix the user-agent detail API endpoint for project snippets

---
 doc/api/project_snippets.md                |  9 +++++----
 lib/api/project_snippets.rb                |  2 +-
 spec/requests/api/project_snippets_spec.rb | 13 ++++++++++---
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/api/project_snippets.md b/doc/api/project_snippets.md
index ad2521230e6..cc495c5d091 100644
--- a/doc/api/project_snippets.md
+++ b/doc/api/project_snippets.md
@@ -131,12 +131,13 @@ Available only for admins.
 GET /projects/:id/snippets/:snippet_id/user_agent_detail
 ```
 
-| Attribute   | Type    | Required | Description                          |
-|-------------|---------|----------|--------------------------------------|
-| `id`        | Integer | yes      | The ID of a snippet                  |
+| Attribute     | Type    | Required | Description                          |
+|---------------|---------|----------|--------------------------------------|
+| `id`          | Integer | yes      | The ID of a project                  |
+| `snippet_id`  | Integer | yes      | The ID of a snippet                  |
 
 ```bash
-curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/1/user_agent_detail
+curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/2/user_agent_detail
 ```
 
 Example response:
diff --git a/lib/api/project_snippets.rb b/lib/api/project_snippets.rb
index 5bed58c2d63..39c03c40bab 100644
--- a/lib/api/project_snippets.rb
+++ b/lib/api/project_snippets.rb
@@ -143,7 +143,7 @@ module API
       get ":id/snippets/:snippet_id/user_agent_detail" do
         authenticated_as_admin!
 
-        snippet = Snippet.find_by!(id: params[:id])
+        snippet = Snippet.find_by!(id: params[:snippet_id], project_id: params[:id])
 
         return not_found!('UserAgentDetail') unless snippet.user_agent_detail
 
diff --git a/spec/requests/api/project_snippets_spec.rb b/spec/requests/api/project_snippets_spec.rb
index e741ac4b7bd..4a2289ca137 100644
--- a/spec/requests/api/project_snippets_spec.rb
+++ b/spec/requests/api/project_snippets_spec.rb
@@ -1,9 +1,9 @@
 require 'rails_helper'
 
 describe API::ProjectSnippets do
-  let(:project) { create(:project, :public) }
-  let(:user) { create(:user) }
-  let(:admin) { create(:admin) }
+  set(:project) { create(:project, :public) }
+  set(:user) { create(:user) }
+  set(:admin) { create(:admin) }
 
   describe "GET /projects/:project_id/snippets/:id/user_agent_detail" do
     let(:snippet) { create(:project_snippet, :public, project: project) }
@@ -18,6 +18,13 @@ describe API::ProjectSnippets do
       expect(json_response['akismet_submitted']).to eq(user_agent_detail.submitted)
     end
 
+    it 'respects project scoping' do
+      other_project = create(:project)
+
+      get api("/projects/#{other_project.id}/snippets/#{snippet.id}/user_agent_detail", admin)
+      expect(response).to have_gitlab_http_status(404)
+    end
+
     it "returns unautorized for non-admin users" do
       get api("/projects/#{snippet.project.id}/snippets/#{snippet.id}/user_agent_detail", user)