Use 403 instead 404 for unpermitted actions

76cf7f34 · Oswaldo Ferreira · 726dd584 · 76cf7f34 · 76cf7f34
Commit 76cf7f34 authored May 26, 2017 by Oswaldo Ferreira
2 changed files
--- a/app/controllers/projects/issue_links_controller.rb
+++ b/app/controllers/projects/issue_links_controller.rb
@@ -16,9 +16,7 @@ module Projects
    def destroy
      issue_link = IssueLink.find(params[:id])

-      # In order to remove a given relation, one must be allowed to admin_issue_link both the current
-      # project and on the related issue project.
-      return render_404 unless can?(current_user, :admin_issue_link, issue_link.target.project)
+      return render_403 unless can?(current_user, :admin_issue_link, issue_link.target.project)

      result = IssueLinks::DestroyService.new(issue_link, current_user).execute

@@ -32,7 +30,7 @@ module Projects
    end

    def authorize_admin_issue_link!
-      render_404 unless can?(current_user, :admin_issue_link, @project)
+      render_403 unless can?(current_user, :admin_issue_link, @project)
    end

    def issue

--- a/spec/controllers/projects/issue_links_controller_spec.rb
+++ b/spec/controllers/projects/issue_links_controller_spec.rb
@@ -77,8 +77,8 @@ describe Projects::IssueLinksController, type: :controller do
      context 'when unauthorized' do
        let(:user_role) { :guest }

-        it 'returns 404' do
-          is_expected.to have_http_status(404)
+        it 'returns 403' do
+          is_expected.to have_http_status(403)
        end
      end

@@ -128,8 +128,8 @@ describe Projects::IssueLinksController, type: :controller do
      context 'when no authorization on current project' do
        let(:current_project_user_role) { :guest }

-        it 'returns 404' do
-          is_expected.to have_http_status(404)
+        it 'returns 403' do
+          is_expected.to have_http_status(403)
        end
      end

@@ -137,8 +137,8 @@ describe Projects::IssueLinksController, type: :controller do
        let(:referenced_issue) { create :issue }
        let(:current_project_user_role) { :developer }

-        it 'returns 404' do
-          is_expected.to have_http_status(404)
+        it 'returns 403' do
+          is_expected.to have_http_status(403)
        end
      end
    end