diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go index e89a6359ae34..d5b1676d6eac 100644 --- a/integrations/api_repo_test.go +++ b/integrations/api_repo_test.go @@ -84,3 +84,11 @@ func TestAPIOrgRepos(t *testing.T) { assert.False(t, repo.Private) } } + +func TestAPIGetRepoByIDUnauthorized(t *testing.T) { + prepareTestEnv(t) + user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User) + sess := loginUser(t, user.Name) + req := NewRequestf(t, "GET", "/api/v1/repositories/2") + sess.MakeRequest(t, req, http.StatusNotFound) +} diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 178f1005e522..edd6a72637aa 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -293,7 +293,10 @@ func GetByID(ctx *context.APIContext) { access, err := models.AccessLevel(ctx.User.ID, repo) if err != nil { - ctx.Error(500, "GetRepositoryByID", err) + ctx.Error(500, "AccessLevel", err) + return + } else if access < models.AccessModeRead { + ctx.Status(404) return } ctx.JSON(200, repo.APIFormat(access))