1 files changed, 19 insertions, 7 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index f5dcbc07704..a59734d643d 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -184,8 +184,7 @@ module API
       return true unless job_token_authentication?
       return true unless route_authentication_setting[:job_token_scope] == :project
 
-      ::Feature.enabled?(:ci_job_token_scope, project) &&
-        current_authenticated_job.project == project
+      current_authenticated_job.project == project
     end
 
     # rubocop: disable CodeReuse/ActiveRecord
@@ -212,18 +211,25 @@ module API
       not_found!('Pipeline')
     end
 
+    def find_organization!(id)
+      organization = Organizations::Organization.find_by_id(id)
+      check_organization_access(organization)
+    end
+
     # rubocop: disable CodeReuse/ActiveRecord
-    def find_group(id)
+    def find_group(id, organization: nil)
+      collection = organization.present? ? Group.in_organization(organization) : Group.all
+
       if id.to_s =~ INTEGER_ID_REGEX
-        Group.find_by(id: id)
+        collection.find_by(id: id)
       else
-        Group.find_by_full_path(id)
+        collection.find_by_full_path(id)
       end
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
-    def find_group!(id)
-      group = find_group(id)
+    def find_group!(id, organization: nil)
+      group = find_group(id, organization: organization)
       check_group_access(group)
     end
 
@@ -836,6 +842,12 @@ module API
       @sudo_identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER]
     end
 
+    def check_organization_access(organization)
+      return organization if can?(current_user, :read_organization, organization)
+
+      not_found!('Organization')
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end