Commit 74581261 authored by Rémy Coutable's avatar Rémy Coutable

API: Return 404 when trying to fork to unaccessible namespace

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 2fea80d5
...@@ -207,7 +207,9 @@ module API ...@@ -207,7 +207,9 @@ module API
if namespace_id.present? if namespace_id.present?
namespace = Namespace.find_by(id: namespace_id) || Namespace.find_by_path_or_name(namespace_id) namespace = Namespace.find_by(id: namespace_id) || Namespace.find_by_path_or_name(namespace_id)
not_found!('Target Namespace') unless namespace unless namespace && can?(current_user, :create_projects, namespace)
not_found!('Target Namespace')
end
attrs[:namespace] = namespace attrs[:namespace] = namespace
end end
......
...@@ -94,7 +94,7 @@ describe API::API, api: true do ...@@ -94,7 +94,7 @@ describe API::API, api: true do
it 'fails if trying to fork to another user when not admin' do it 'fails if trying to fork to another user when not admin' do
post api("/projects/fork/#{project.id}", user2), namespace: admin.namespace.id post api("/projects/fork/#{project.id}", user2), namespace: admin.namespace.id
expect(response).to have_http_status(409) expect(response).to have_http_status(404)
end end
it 'fails if trying to fork to non-existent namespace' do it 'fails if trying to fork to non-existent namespace' do
...@@ -114,7 +114,7 @@ describe API::API, api: true do ...@@ -114,7 +114,7 @@ describe API::API, api: true do
it 'fails to fork to not owned group' do it 'fails to fork to not owned group' do
post api("/projects/fork/#{project.id}", user2), namespace: group.name post api("/projects/fork/#{project.id}", user2), namespace: group.name
expect(response).to have_http_status(409) expect(response).to have_http_status(404)
end end
it 'forks to not owned group when admin' do it 'forks to not owned group when admin' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment