From c9be74e24797c1dab5b443728349bb0c5ce969c3 Mon Sep 17 00:00:00 2001 From: Felipe Artur Date: Mon, 16 May 2016 16:43:19 -0300 Subject: Fix single note api request --- lib/api/helpers.rb | 4 ++++ lib/api/notes.rb | 10 +++++----- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'lib/api') diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 40c967453fb..1003b596aec 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -397,5 +397,9 @@ module API error!(errors[:access_level], 422) if errors[:access_level].any? not_found!(errors) end + + def noteable_ability_name(noteable) + "read_#{noteable.class.to_s.underscore.downcase}".to_sym + end end end diff --git a/lib/api/notes.rb b/lib/api/notes.rb index f0116acd90f..c49b107d1d9 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -20,9 +20,8 @@ module API # GET /projects/:id/snippets/:noteable_id/notes get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym]) - read_ability_name = "read_#{@noteable.class.to_s.underscore.downcase}".to_sym - if can?(current_user, read_ability_name, @noteable) + if can?(current_user, noteable_ability_name(@noteable), @noteable) # We exclude notes that are cross-references and that cannot be viewed # by the current user. By doing this exclusion at this level and not # at the DB query level (which we cannot in that case), the current @@ -52,11 +51,12 @@ module API get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym]) @note = @noteable.notes.find(params[:note_id]) + can_read_note = can?(current_user, noteable_ability_name(@noteable), @noteable) && !@note.cross_reference_not_visible_for?(current_user) - if @note.cross_reference_not_visible_for?(current_user) - not_found!("Note") - else + if can_read_note present @note, with: Entities::Note + else + not_found!("Note") end end -- cgit v1.2.1