API: Introduce #find_group! which also check access permission

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-11-24 16:58:32 +01:00 · 2016-11-24 16:58:32 +01:00 · 81ba3f9177
commit 81ba3f9177
parent 4f5ed81232
4 changed files with 15 additions and 7 deletions
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@ -82,7 +82,7 @@ module API
                        :lfs_enabled, :request_access_enabled
      end
      put ':id' do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        authorize! :admin_group, group
        if ::Groups::UpdateService.new(group, current_user, declared_params(include_missing: false)).execute
@ -96,13 +96,13 @@ module API
        success Entities::GroupDetail
      end
      get ":id" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        present group, with: Entities::GroupDetail
      end
      desc 'Remove a group.'
      delete ":id" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        authorize! :admin_group, group
        DestroyGroupService.new(group, current_user).execute
      end
@ -111,7 +111,7 @@ module API
        success Entities::Project
      end
      get ":id/projects" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        projects = GroupProjectsFinder.new(group).execute(current_user)
        projects = paginate projects
        present projects, with: Entities::Project, user: current_user
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -105,7 +105,15 @@ module API
    end
    def find_group(id)
-      group = Group.find_by(path: id) || Group.find_by(id: id)
+      if id =~ /^\d+$/
        Group.find_by(id: id)
      else
        Group.find_by(path: id)
      end
    end
    def find_group!(id)
      group = find_group(id)
      if can?(current_user, :read_group, group)
        group
--- a/lib/api/helpers/members_helpers.rb
+++ b/lib/api/helpers/members_helpers.rb
@ -2,7 +2,7 @@ module API
  module Helpers
    module MembersHelpers
      def find_source(source_type, id)
-        public_send("find_#{source_type}", id)
+        public_send("find_#{source_type}!", id)
      end
      def authorize_admin_source!(source_type, source)
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@ -68,7 +68,7 @@ module API
      #   GET /groups/:id/issues?milestone=1.0.0
      #   GET /groups/:id/issues?milestone=1.0.0&state=closed
      get ":id/issues" do
-        group = find_group(params[:id])
+        group = find_group!(params[:id])
        params[:state] ||= 'opened'
        params[:group_id] = group.id