Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576
author: Stan Hu <stanhu@gmail.com> 2016-04-25 08:39:18 +0300
committer: Stan Hu <stanhu@gmail.com> 2016-04-25 09:53:59 +0300
commit: 9413dd80f57aea6a1f3a1a0fe26b76c9fad0661c (patch)
tree: 22f4420d63db538a4bd48567b1acc373518efef0 /lib/api/project_hooks.rb
parent: 954af77b39b89555ba79063341010a10617e9e5b (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/api/project_hooks.rb b/lib/api/project_hooks.rb
index cf9938d25a7..ccca65cbe1c 100644
--- a/lib/api/project_hooks.rb
+++ b/lib/api/project_hooks.rb
@@ -103,10 +103,10 @@ module API
         required_attributes! [:hook_id]
 
         begin
-          @hook = ProjectHook.find(params[:hook_id])
-          @hook.destroy
+          @hook = user_project.hooks.destroy(params[:hook_id])
         rescue
           # ProjectHook can raise Error if hook_id not found
+          not_found!("Error deleting hook #{params[:hook_id]}")
         end
       end
     end
author	Stan Hu <stanhu@gmail.com>	2016-04-25 08:39:18 +0300
committer	Stan Hu <stanhu@gmail.com>	2016-04-25 09:53:59 +0300
commit	9413dd80f57aea6a1f3a1a0fe26b76c9fad0661c (patch)
tree	22f4420d63db538a4bd48567b1acc373518efef0 /lib/api/project_hooks.rb
parent	954af77b39b89555ba79063341010a10617e9e5b (diff)