Commit b2f48d8c authored by Robert Schilling's avatar Robert Schilling

API: Return 404 if user does not have access to group

parent 6bb71869
...@@ -40,6 +40,7 @@ v 8.7.0 (unreleased) ...@@ -40,6 +40,7 @@ v 8.7.0 (unreleased)
- Fix admin/projects when using visibility levels on search (PotHix) - Fix admin/projects when using visibility levels on search (PotHix)
- Build status notifications - Build status notifications
- API: Expose user location (Robert Schilling) - API: Expose user location (Robert Schilling)
- API: Do not leak group existence via return code (Robert Schilling)
- ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591 - ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
- Update number of Todos in the sidebar when it's marked as "Done". !3600 - Update number of Todos in the sidebar when it's marked as "Done". !3600
- API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling) - API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)
......
...@@ -91,8 +91,7 @@ module API ...@@ -91,8 +91,7 @@ module API
if can?(current_user, :read_group, group) if can?(current_user, :read_group, group)
group group
else else
forbidden!("#{current_user.username} lacks sufficient "\ not_found!('Group')
"access to #{group.name}")
end end
end end
......
...@@ -61,7 +61,8 @@ describe API::API, api: true do ...@@ -61,7 +61,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}", user1) get api("/groups/#{group2.id}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end end
end end
...@@ -92,7 +93,8 @@ describe API::API, api: true do ...@@ -92,7 +93,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}", user1) get api("/groups/#{group2.path}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end end
end end
end end
...@@ -157,7 +159,8 @@ describe API::API, api: true do ...@@ -157,7 +159,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}/projects", user1) get api("/groups/#{group2.id}/projects", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end end
end end
...@@ -189,7 +192,8 @@ describe API::API, api: true do ...@@ -189,7 +192,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}/projects", user1) get api("/groups/#{group2.path}/projects", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end end
end end
end end
...@@ -247,7 +251,8 @@ describe API::API, api: true do ...@@ -247,7 +251,8 @@ describe API::API, api: true do
it "should not remove a group not attached to user1" do it "should not remove a group not attached to user1" do
delete api("/groups/#{group2.id}", user1) delete api("/groups/#{group2.id}", user1)
expect(response.status).to eq(403)
expect(response.status).to eq(404)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment