API: Introduce #find_project! which also check access permission

Signed-off-by: Rémy Coutable <remy@rymai.me>
This commit is contained in:
Rémy Coutable 2016-11-24 14:40:35 +01:00
parent 304163becb
commit 4f5ed81232
No known key found for this signature in database
GPG key ID: 46DF07E5CD9E96AB
2 changed files with 11 additions and 8 deletions

View file

@ -68,7 +68,7 @@ module API
end
def user_project
@project ||= find_project(params[:id])
@project ||= find_project!(params[:id])
end
def available_labels
@ -76,12 +76,15 @@ module API
end
def find_project(id)
project =
if id =~ /^\d+$/
Project.find_by(id: id)
else
Project.find_with_namespace(id)
end
end
def find_project!(id)
project = find_project(id)
if can?(current_user, :read_project, project)
project

View file

@ -379,7 +379,7 @@ module API
# POST /projects/:id/fork/:forked_from_id
post ":id/fork/:forked_from_id" do
authenticated_as_admin!
forked_from_project = find_project(params[:forked_from_id])
forked_from_project = find_project!(params[:forked_from_id])
unless forked_from_project.nil?
if user_project.forked_from_project.nil?
user_project.create_forked_project_link(forked_to_project_id: user_project.id, forked_from_project_id: forked_from_project.id)