Merge branch 'fix-users-deleting-public-deployment-keys' into 'security'

Fix users being able to delete instance public deployment keys See merge request !2049
2017-01-19 17:11:48 +00:00 · 2017-01-19 17:11:48 +00:00 · 60d1dcb83a
parent 30d5e9fa54
commit 60d1dcb83a
2 changed files with 11 additions and 3 deletions
--- a/changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml
+++ b/changelogs/unreleased/fix-users-deleting-public-deployment-keys.yml
@ -0,0 +1,4 @@
+---
+title: Prevent users from deleting system deploy keys via the project deploy key API
+merge_request:
+author:
--- a/lib/api/deploy_keys.rb
+++ b/lib/api/deploy_keys.rb
@ -105,15 +105,19 @@ module API
          present key.deploy_key, with: Entities::SSHKey
        end

-        desc 'Delete existing deploy key of currently authenticated user' do
+        desc 'Delete deploy key for a project' do
          success Key
        end
        params do
          requires :key_id, type: Integer, desc: 'The ID of the deploy key'
        end
        delete ":id/#{path}/:key_id" do
-          key = user_project.deploy_keys.find(params[:key_id])
-          key.destroy
+          key = user_project.deploy_keys_projects.find_by(deploy_key_id: params[:key_id])
+          if key
+            key.destroy
+          else
+            not_found!('Deploy Key')
+          end
        end
      end
    end