Validate audit event id on Groups API

Add presence and type validation on Audit Event ID when getting a Group-level audit event. This also makes it consistent with a similar API call to get Instance-level audit event.

Validate audit event id on Groups API
Add presence and type validation on Audit Event ID when getting a Group-level audit event. This also makes it consistent with a similar API call to get Instance-level audit event.
243e917e · Tan Le · Robert Speicher · c76f4fbc · 243e917e · 243e917e
Commit 243e917e authored Mar 09, 2020 by Tan Le Committed by Robert Speicher Mar 09, 2020
Showing with 17 additions and 2 deletions

doc/api/audit_events.md doc/api/audit_events.md +5 -1

ee/lib/ee/api/groups.rb ee/lib/ee/api/groups.rb +3 -0

ee/spec/requests/api/groups_spec.rb ee/spec/requests/api/groups_spec.rb +9 -1

No files found.
--- a/doc/api/audit_events.md
+++ b/doc/api/audit_events.md
@@ -91,6 +91,10 @@ Example response:
 GET /audit_events/:id
 ```

+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id` | integer | yes | The ID of the audit event |
+
 ```shell
 curl --header "PRIVATE-TOKEN: <your_access_token>" https://primary.example.com/api/v4/audit_events/1
 ```
@@ -195,7 +199,7 @@ GET /groups/:id/audit_events/:audit_event_id
 | Attribute | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `id` | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
-| `audit_event_id` | integer | yes | ID of the audit event |
+| `audit_event_id` | integer | yes | The ID of the audit event |

 ```shell
 curl --header "PRIVATE-TOKEN: <your_access_token>" https://primary.example.com/api/v4/groups/60/audit_events/2

--- a/ee/lib/ee/api/groups.rb
+++ b/ee/lib/ee/api/groups.rb
@@ -110,6 +110,9 @@ module EE
            desc 'Get a specific audit event in this group.' do
              success EE::API::Entities::AuditEvent
            end
+            params do
+              requires :audit_event_id, type: Integer, desc: 'The ID of the audit event'
+            end
            get '/:audit_event_id' do
              audit_log_finder_params = audit_log_finder_params(user_group)
              audit_event = AuditLogFinder.new(audit_log_finder_params.merge(id: params[:audit_event_id])).execute

--- a/ee/spec/requests/api/groups_spec.rb
+++ b/ee/spec/requests/api/groups_spec.rb
@@ -465,9 +465,17 @@ describe API::Groups do
            end
          end

+          context 'invalid audit_event_id' do
+            let(:path) { "/groups/#{group.id}/audit_events/an-invalid-id" }
+
+            it_behaves_like '400 response' do
+              let(:request) { get api(path, user) }
+            end
+          end
+
          context 'non existent audit event' do
            context 'non existent audit event of a group' do
-              let(:path) { "/groups/#{group.id}/audit_events/non-existent-id" }
+              let(:path) { "/groups/#{group.id}/audit_events/666777" }

              it_behaves_like '404 response' do
                let(:request) { get api(path, user) }