API: fixes visibility of project hook

When a user is not authorized to see the list of hooks for a project, he is still able to access the hooks separately. For example if access to `GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`. Fixes access, also added tests to check access and status codes of hooks.
author: Sebastian Ziebell <sebastian.ziebell@asquera.de> 2013-02-16 14:42:49 +0100
committer: Sebastian Ziebell <sebastian.ziebell@asquera.de> 2013-02-16 14:42:49 +0100
commit: e9d3b9659525c23a1d8c3b755c792040a5b41148 (patch)
tree: c2a1b4ef6b8a1e2a092ed2d52cfa44251e04be69 /lib/api/projects.rb
parent: ed3f44085e01f50864ce840f007a50d2154df6f5 (diff)
download: gitlab-ce-e9d3b9659525c23a1d8c3b755c792040a5b41148.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index d416121a78a..921aa237f26 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -155,6 +155,7 @@ module Gitlab
       # Example Request:
       #   GET /projects/:id/hooks/:hook_id
       get ":id/hooks/:hook_id" do
+        authorize! :admin_project, user_project
         @hook = user_project.hooks.find(params[:hook_id])
         present @hook, with: Entities::Hook
       end
author	Sebastian Ziebell <sebastian.ziebell@asquera.de>	2013-02-16 14:42:49 +0100
committer	Sebastian Ziebell <sebastian.ziebell@asquera.de>	2013-02-16 14:42:49 +0100
commit	e9d3b9659525c23a1d8c3b755c792040a5b41148 (patch)
tree	c2a1b4ef6b8a1e2a092ed2d52cfa44251e04be69 /lib/api/projects.rb
parent	ed3f44085e01f50864ce840f007a50d2154df6f5 (diff)
download	gitlab-ce-e9d3b9659525c23a1d8c3b755c792040a5b41148.tar.gz