Commit 81ba3f91 authored by Rémy Coutable's avatar Rémy Coutable

API: Introduce `#find_group!` which also check access permission

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 4f5ed812
......@@ -82,7 +82,7 @@ module API
:lfs_enabled, :request_access_enabled
end
put ':id' do
group = find_group(params[:id])
group = find_group!(params[:id])
authorize! :admin_group, group
if ::Groups::UpdateService.new(group, current_user, declared_params(include_missing: false)).execute
......@@ -96,13 +96,13 @@ module API
success Entities::GroupDetail
end
get ":id" do
group = find_group(params[:id])
group = find_group!(params[:id])
present group, with: Entities::GroupDetail
end
desc 'Remove a group.'
delete ":id" do
group = find_group(params[:id])
group = find_group!(params[:id])
authorize! :admin_group, group
DestroyGroupService.new(group, current_user).execute
end
......@@ -111,7 +111,7 @@ module API
success Entities::Project
end
get ":id/projects" do
group = find_group(params[:id])
group = find_group!(params[:id])
projects = GroupProjectsFinder.new(group).execute(current_user)
projects = paginate projects
present projects, with: Entities::Project, user: current_user
......
......@@ -105,7 +105,15 @@ module API
end
def find_group(id)
group = Group.find_by(path: id) || Group.find_by(id: id)
if id =~ /^\d+$/
Group.find_by(id: id)
else
Group.find_by(path: id)
end
end
def find_group!(id)
group = find_group(id)
if can?(current_user, :read_group, group)
group
......
......@@ -2,7 +2,7 @@ module API
module Helpers
module MembersHelpers
def find_source(source_type, id)
public_send("find_#{source_type}", id)
public_send("find_#{source_type}!", id)
end
def authorize_admin_source!(source_type, source)
......
......@@ -68,7 +68,7 @@ module API
# GET /groups/:id/issues?milestone=1.0.0
# GET /groups/:id/issues?milestone=1.0.0&state=closed
get ":id/issues" do
group = find_group(params[:id])
group = find_group!(params[:id])
params[:state] ||= 'opened'
params[:group_id] = group.id
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment