API: Introduce #find_project! which also check access permission

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-11-24 14:40:35 +01:00 · 2016-11-24 14:40:35 +01:00 · 4f5ed81232
commit 4f5ed81232
parent 304163becb
2 changed files with 11 additions and 8 deletions
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -68,7 +68,7 @@ module API
    end

    def user_project
-      @project ||= find_project(params[:id])
+      @project ||= find_project!(params[:id])
    end

    def available_labels
@ -76,12 +76,15 @@ module API
    end

    def find_project(id)
-      project =
-        if id =~ /^\d+$/
-          Project.find_by(id: id)
-        else
-          Project.find_with_namespace(id)
-        end
+      if id =~ /^\d+$/
+        Project.find_by(id: id)
+      else
+        Project.find_with_namespace(id)
+      end
+    end
+
+    def find_project!(id)
+      project = find_project(id)

      if can?(current_user, :read_project, project)
        project
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@ -379,7 +379,7 @@ module API
      #   POST /projects/:id/fork/:forked_from_id
      post ":id/fork/:forked_from_id" do
        authenticated_as_admin!
-        forked_from_project = find_project(params[:forked_from_id])
+        forked_from_project = find_project!(params[:forked_from_id])
        unless forked_from_project.nil?
          if user_project.forked_from_project.nil?
            user_project.create_forked_project_link(forked_to_project_id: user_project.id, forked_from_project_id: forked_from_project.id)