From 49df677c475d6a20575b99b5af8323f65937dadb Mon Sep 17 00:00:00 2001
From: Ethan Koenig <etk39@cornell.edu>
Date: Sat, 29 Jul 2017 18:13:33 -0700
Subject: [PATCH] Check for access in /repositories/:id (#2227)

* Check for access in /repositories/:id

* Integration test
---
 integrations/api_repo_test.go | 8 ++++++++
 routers/api/v1/repo/repo.go   | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index e89a6359a..d5b1676d6 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -84,3 +84,11 @@ func TestAPIOrgRepos(t *testing.T) {
 		assert.False(t, repo.Private)
 	}
 }
+
+func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
+	prepareTestEnv(t)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
+	sess := loginUser(t, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repositories/2")
+	sess.MakeRequest(t, req, http.StatusNotFound)
+}
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index 178f1005e..edd6a7263 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -293,7 +293,10 @@ func GetByID(ctx *context.APIContext) {
 
 	access, err := models.AccessLevel(ctx.User.ID, repo)
 	if err != nil {
-		ctx.Error(500, "GetRepositoryByID", err)
+		ctx.Error(500, "AccessLevel", err)
+		return
+	} else if access < models.AccessModeRead {
+		ctx.Status(404)
 		return
 	}
 	ctx.JSON(200, repo.APIFormat(access))