summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEthan Koenig <etk39@cornell.edu>2017-07-29 18:13:33 -0700
committerLunny Xiao <xiaolunwen@gmail.com>2017-07-30 09:13:33 +0800
commit49df677c475d6a20575b99b5af8323f65937dadb (patch)
treea566cce313e3eb41f116685017b04863a4e3dac2
parenta9cc538ab5a2a3a37b69041daf435169d15dd05c (diff)
downloadgitea-49df677c475d6a20575b99b5af8323f65937dadb.tar.gz
gitea-49df677c475d6a20575b99b5af8323f65937dadb.zip
Check for access in /repositories/:id (#2227)
* Check for access in /repositories/:id * Integration test
-rw-r--r--integrations/api_repo_test.go8
-rw-r--r--routers/api/v1/repo/repo.go5
2 files changed, 12 insertions, 1 deletions
diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index e89a6359ae..d5b1676d6e 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -84,3 +84,11 @@ func TestAPIOrgRepos(t *testing.T) {
assert.False(t, repo.Private)
}
}
+
+func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
+ prepareTestEnv(t)
+ user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
+ sess := loginUser(t, user.Name)
+ req := NewRequestf(t, "GET", "/api/v1/repositories/2")
+ sess.MakeRequest(t, req, http.StatusNotFound)
+}
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index 178f1005e5..edd6a72637 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -293,7 +293,10 @@ func GetByID(ctx *context.APIContext) {
access, err := models.AccessLevel(ctx.User.ID, repo)
if err != nil {
- ctx.Error(500, "GetRepositoryByID", err)
+ ctx.Error(500, "AccessLevel", err)
+ return
+ } else if access < models.AccessModeRead {
+ ctx.Status(404)
return
}
ctx.JSON(200, repo.APIFormat(access))