Fix the user-agent detail API endpoint for project snippets

2018-01-17 14:30:07 +00:00 · 2018-01-17 14:30:07 +00:00 · 1a3bcc76ea
commit 1a3bcc76ea
parent f17d7a4bee
3 changed files with 16 additions and 8 deletions
--- a/doc/api/project_snippets.md
+++ b/doc/api/project_snippets.md
@ -131,12 +131,13 @@ Available only for admins.
 GET /projects/:id/snippets/:snippet_id/user_agent_detail
 ```

-| Attribute   | Type    | Required | Description                          |
-|-------------|---------|----------|--------------------------------------|
-| `id`        | Integer | yes      | The ID of a snippet                  |
+| Attribute     | Type    | Required | Description                          |
+|---------------|---------|----------|--------------------------------------|
+| `id`          | Integer | yes      | The ID of a project                  |
+| `snippet_id`  | Integer | yes      | The ID of a snippet                  |

 ```bash
-curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/1/user_agent_detail
+curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/2/user_agent_detail
 ```

 Example response:
--- a/lib/api/project_snippets.rb
+++ b/lib/api/project_snippets.rb
@ -143,7 +143,7 @@ module API
      get ":id/snippets/:snippet_id/user_agent_detail" do
        authenticated_as_admin!

-        snippet = Snippet.find_by!(id: params[:id])
+        snippet = Snippet.find_by!(id: params[:snippet_id], project_id: params[:id])

        return not_found!('UserAgentDetail') unless snippet.user_agent_detail

--- a/spec/requests/api/project_snippets_spec.rb
+++ b/spec/requests/api/project_snippets_spec.rb
@ -1,9 +1,9 @@
 require 'rails_helper'

 describe API::ProjectSnippets do
-  let(:project) { create(:project, :public) }
-  let(:user) { create(:user) }
-  let(:admin) { create(:admin) }
+  set(:project) { create(:project, :public) }
+  set(:user) { create(:user) }
+  set(:admin) { create(:admin) }

  describe "GET /projects/:project_id/snippets/:id/user_agent_detail" do
    let(:snippet) { create(:project_snippet, :public, project: project) }
@ -18,6 +18,13 @@ describe API::ProjectSnippets do
      expect(json_response['akismet_submitted']).to eq(user_agent_detail.submitted)
    end

+    it 'respects project scoping' do
+      other_project = create(:project)
+
+      get api("/projects/#{other_project.id}/snippets/#{snippet.id}/user_agent_detail", admin)
+      expect(response).to have_gitlab_http_status(404)
+    end
+
    it "returns unautorized for non-admin users" do
      get api("/projects/#{snippet.project.id}/snippets/#{snippet.id}/user_agent_detail", user)