6 files changed, 25 insertions, 52 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index a9b364da9e1..b680c43a269 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -90,6 +90,11 @@ module API
       MergeRequestsFinder.new(current_user, project_id: user_project.id).find_by!(iid: iid)
     end
 
+    def find_project_snippet(id)
+      finder_params = { filter: :by_project, project: user_project }
+      SnippetsFinder.new.execute(current_user, finder_params).find(id)
+    end
+
     def find_merge_request_with_access(iid, access_level = :read_merge_request)
       merge_request = user_project.merge_requests.find_by!(iid: iid)
       authorize! access_level, merge_request
diff --git a/lib/api/helpers/runner.rb b/lib/api/helpers/runner.rb
index 74848a6e144..1369b021ea4 100644
--- a/lib/api/helpers/runner.rb
+++ b/lib/api/helpers/runner.rb
@@ -50,10 +50,14 @@ module API
         forbidden!('Job has been erased!') if job.erased?
       end
 
-      def authenticate_job!(job)
+      def authenticate_job!
+        job = Ci::Build.find_by_id(params[:id])
+
         validate_job!(job) do
           forbidden! unless job_token_valid?(job)
         end
+
+        job
       end
 
       def job_token_valid?(job)
diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb
index 7a03955a045..09821945053 100644
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@@ -226,41 +226,6 @@ module API
           .cancel(merge_request)
       end
 
-      desc 'Get the comments of a merge request' do
-        success Entities::MRNote
-      end
-      params do
-        use :pagination
-      end
-      get ':id/merge_requests/:merge_request_iid/comments' do
-        merge_request = find_merge_request_with_access(params[:merge_request_iid])
-        present paginate(merge_request.notes.fresh), with: Entities::MRNote
-      end
-
-      desc 'Post a comment to a merge request' do
-        success Entities::MRNote
-      end
-      params do
-        requires :note, type: String, desc: 'The text of the comment'
-      end
-      post ':id/merge_requests/:merge_request_iid/comments' do
-        merge_request = find_merge_request_with_access(params[:merge_request_iid], :create_note)
-
-        opts = {
-          note: params[:note],
-          noteable_type: 'MergeRequest',
-          noteable_id: merge_request.id
-        }
-
-        note = ::Notes::CreateService.new(user_project, current_user, opts).execute
-
-        if note.save
-          present note, with: Entities::MRNote
-        else
-          render_api_error!("Failed to save note #{note.errors.messages}", 400)
-        end
-      end
-
       desc 'List issues that will be closed on merge' do
         success Entities::MRNote
       end
diff --git a/lib/api/notes.rb b/lib/api/notes.rb
index 3b3e45cbd06..3dee8938179 100644
--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -21,7 +21,7 @@ module API
           use :pagination
         end
         get ":id/#{noteables_str}/:noteable_id/notes" do
-          noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
+          noteable = find_project_noteable(noteables_str, params[:noteable_id])
 
           if can?(current_user, noteable_read_ability_name(noteable), noteable)
             # We exclude notes that are cross-references and that cannot be viewed
@@ -49,7 +49,7 @@ module API
           requires :noteable_id, type: Integer, desc: 'The ID of the noteable'
         end
         get ":id/#{noteables_str}/:noteable_id/notes/:note_id" do
-          noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
+          noteable = find_project_noteable(noteables_str, params[:noteable_id])
           note = noteable.notes.find(params[:note_id])
           can_read_note = can?(current_user, noteable_read_ability_name(noteable), noteable) && !note.cross_reference_not_visible_for?(current_user)
 
@@ -69,14 +69,14 @@ module API
           optional :created_at, type: String, desc: 'The creation date of the note'
         end
         post ":id/#{noteables_str}/:noteable_id/notes" do
+          noteable = find_project_noteable(noteables_str, params[:noteable_id])
+
           opts = {
             note: params[:body],
             noteable_type: noteables_str.classify,
-            noteable_id: params[:noteable_id]
+            noteable_id: noteable.id
           }
 
-          noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
-
           if can?(current_user, noteable_read_ability_name(noteable), noteable)
             if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
               opts[:created_at] = params[:created_at]
@@ -137,6 +137,10 @@ module API
     end
 
     helpers do
+      def find_project_noteable(noteables_str, noteable_id)
+        public_send("find_project_#{noteables_str.singularize}", noteable_id)
+      end
+
       def noteable_read_ability_name(noteable)
         "read_#{noteable.class.to_s.underscore}".to_sym
       end
diff --git a/lib/api/runner.rb b/lib/api/runner.rb
index 4c9db2c8716..d288369e362 100644
--- a/lib/api/runner.rb
+++ b/lib/api/runner.rb
@@ -113,8 +113,7 @@ module API
         optional :state, type: String, desc: %q(Job's status: success, failed)
       end
       put '/:id' do
-        job = Ci::Build.find_by_id(params[:id])
-        authenticate_job!(job)
+        job = authenticate_job!
 
         job.update_attributes(trace: params[:trace]) if params[:trace]
 
@@ -140,8 +139,7 @@ module API
         optional :token, type: String, desc: %q(Job's authentication token)
       end
       patch '/:id/trace' do
-        job = Ci::Build.find_by_id(params[:id])
-        authenticate_job!(job)
+        job = authenticate_job!
 
         error!('400 Missing header Content-Range', 400) unless request.headers.has_key?('Content-Range')
         content_range = request.headers['Content-Range']
@@ -175,8 +173,7 @@ module API
         require_gitlab_workhorse!
         Gitlab::Workhorse.verify_api_request!(headers)
 
-        job = Ci::Build.find_by_id(params[:id])
-        authenticate_job!(job)
+        job = authenticate_job!
         forbidden!('Job is not running') unless job.running?
 
         if params[:filesize]
@@ -212,8 +209,7 @@ module API
         not_allowed! unless Gitlab.config.artifacts.enabled
         require_gitlab_workhorse!
 
-        job = Ci::Build.find_by_id(params[:id])
-        authenticate_job!(job)
+        job = authenticate_job!
         forbidden!('Job is not running!') unless job.running?
 
         artifacts_upload_path = ArtifactUploader.artifacts_upload_path
@@ -245,8 +241,7 @@ module API
         optional :token, type: String, desc: %q(Job's authentication token)
       end
       get '/:id/artifacts' do
-        job = Ci::Build.find_by_id(params[:id])
-        authenticate_job!(job)
+        job = authenticate_job!
 
         artifacts_file = job.artifacts_file
         unless artifacts_file.file_storage?
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 549003f576a..a309be9d0fa 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -312,7 +312,7 @@ module API
         user = User.find_by(id: params[:id])
         not_found!('User') unless user
 
-        ::Users::DestroyService.new(current_user).execute(user)
+        DeleteUserWorker.perform_async(current_user.id, user.id)
       end
 
       desc 'Block a user. Available only for admins.'