diff options
author | Ethan Koenig <etk39@cornell.edu> | 2017-07-29 18:13:33 -0700 |
---|---|---|
committer | Lunny Xiao <xiaolunwen@gmail.com> | 2017-07-30 09:13:33 +0800 |
commit | 49df677c475d6a20575b99b5af8323f65937dadb (patch) | |
tree | a566cce313e3eb41f116685017b04863a4e3dac2 | |
parent | a9cc538ab5a2a3a37b69041daf435169d15dd05c (diff) | |
download | gitea-49df677c475d6a20575b99b5af8323f65937dadb.tar.gz gitea-49df677c475d6a20575b99b5af8323f65937dadb.zip |
Check for access in /repositories/:id (#2227)
* Check for access in /repositories/:id
* Integration test
-rw-r--r-- | integrations/api_repo_test.go | 8 | ||||
-rw-r--r-- | routers/api/v1/repo/repo.go | 5 |
2 files changed, 12 insertions, 1 deletions
diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go index e89a6359ae..d5b1676d6e 100644 --- a/integrations/api_repo_test.go +++ b/integrations/api_repo_test.go @@ -84,3 +84,11 @@ func TestAPIOrgRepos(t *testing.T) { assert.False(t, repo.Private) } } + +func TestAPIGetRepoByIDUnauthorized(t *testing.T) { + prepareTestEnv(t) + user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User) + sess := loginUser(t, user.Name) + req := NewRequestf(t, "GET", "/api/v1/repositories/2") + sess.MakeRequest(t, req, http.StatusNotFound) +} diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 178f1005e5..edd6a72637 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -293,7 +293,10 @@ func GetByID(ctx *context.APIContext) { access, err := models.AccessLevel(ctx.User.ID, repo) if err != nil { - ctx.Error(500, "GetRepositoryByID", err) + ctx.Error(500, "AccessLevel", err) + return + } else if access < models.AccessModeRead { + ctx.Status(404) return } ctx.JSON(200, repo.APIFormat(access)) |