From dd37a10df44bd1771aa8b163fd857628d03842d9 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Mon, 23 Feb 2015 23:14:57 +0100
Subject: Don't leak information about private project existence via
 Git-over-SSH/HTTP.

---
 lib/api/internal.rb | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

(limited to 'lib/api')

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index ba3fe619b92..753d0fcbd98 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -16,6 +16,17 @@ module API
       #
       post "/allowed" do
         status 200
+
+        actor = if params[:key_id]
+                  Key.find_by(id: params[:key_id])
+                elsif params[:user_id]
+                  User.find_by(id: params[:user_id])
+                end
+
+        unless actor
+          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+        end
+
         project_path = params[:project]
 
         # Check for *.wiki repositories.
@@ -32,26 +43,20 @@ module API
 
         project = Project.find_with_namespace(project_path)
 
-        unless project
-          return Gitlab::GitAccessStatus.new(false, 'No such project')
+        if project
+          status = access.check(
+            actor,
+            params[:action],
+            project,
+            params[:changes]
+          )
         end
 
-        actor = if params[:key_id]
-                  Key.find_by(id: params[:key_id])
-                elsif params[:user_id]
-                  User.find_by(id: params[:user_id])
-                end
-
-        unless actor
-          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+        if project && status && status.allowed?
+          status
+        else
+          Gitlab::GitAccessStatus.new(false, 'No such project')
         end
-
-        access.check(
-          actor,
-          params[:action],
-          project,
-          params[:changes]
-        )
       end
 
       #
-- 
cgit v1.2.1