1 files changed, 15 insertions, 18 deletions

diff --git a/lib/api/pypi_packages.rb b/lib/api/pypi_packages.rb
index 1f27fcce879..6c649483da1 100644
--- a/lib/api/pypi_packages.rb
+++ b/lib/api/pypi_packages.rb
@@ -95,9 +95,9 @@ module API
         find_authorized_group!
       end
 
-      def ensure_project!
+      def project!(action: :read_package)
         find_project(params[:id]) || not_found!
-        authorized_user_project
+        authorized_user_project(action: action)
       end
     end
 
@@ -157,14 +157,10 @@ module API
     end
 
     params do
-      requires :id, type: String, desc: 'The ID of a project'
+      requires :id, types: [String, Integer], desc: 'The ID or URL-encoded path of the project'
     end
 
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
-      before do
-        ensure_project!
-      end
-
       namespace ':id/packages/pypi' do
         desc 'The PyPi package download endpoint' do
           detail 'This feature was introduced in GitLab 12.10'
@@ -176,8 +172,7 @@ module API
 
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
         get 'files/:sha256/*file_identifier' do
-          project = authorized_user_project
-          authorize_read_package!(project)
+          project = project!
 
           filename = "#{params[:file_identifier]}.#{params[:format]}"
           package = Packages::Pypi::PackageFinder.new(current_user, project, { filename: filename, sha256: params[:sha256] }).execute
@@ -196,7 +191,7 @@ module API
         # PyPi simple API returns a list of packages as a simple HTML file.
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
         get 'simple', format: :txt do
-          present_simple_index(authorized_user_project)
+          present_simple_index(project!)
         end
 
         desc 'The PyPi Simple Project Package Endpoint' do
@@ -211,7 +206,7 @@ module API
         # PyPi simple API returns the package descriptor as a simple HTML file.
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
         get 'simple/*package_name', format: :txt do
-          present_simple_package(authorized_user_project)
+          present_simple_package(project!)
         end
 
         desc 'The PyPi Package upload endpoint' do
@@ -219,7 +214,7 @@ module API
         end
 
         params do
-          requires :content, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)'
+          requires :content, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)', documentation: { type: 'file' }
           requires :name, type: String
           requires :version, type: String
           optional :requires_python, type: String
@@ -229,15 +224,16 @@ module API
 
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
         post do
-          authorize_upload!(authorized_user_project)
-          bad_request!('File is too large') if authorized_user_project.actual_limits.exceeded?(:pypi_max_file_size, params[:content].size)
+          project = project!(action: :read_project)
+          authorize_upload!(project)
+          bad_request!('File is too large') if project.actual_limits.exceeded?(:pypi_max_file_size, params[:content].size)
 
-          track_package_event('push_package', :pypi, project: authorized_user_project, user: current_user, namespace: authorized_user_project.namespace)
+          track_package_event('push_package', :pypi, project: project, user: current_user, namespace: project.namespace)
 
           unprocessable_entity! if Gitlab::FIPS.enabled? && declared_params[:md5_digest].present?
 
           ::Packages::Pypi::CreatePackageService
-            .new(authorized_user_project, current_user, declared_params.merge(build: current_authenticated_job))
+            .new(project, current_user, declared_params.merge(build: current_authenticated_job))
             .execute
 
           created!
@@ -249,10 +245,11 @@ module API
 
         route_setting :authentication, deploy_token_allowed: true, basic_auth_personal_access_token: true, job_token_allowed: :basic_auth
         post 'authorize' do
+          project = project!(action: :read_project)
           authorize_workhorse!(
-            subject: authorized_user_project,
+            subject: project,
             has_length: false,
-            maximum_size: authorized_user_project.actual_limits.pypi_max_file_size
+            maximum_size: project.actual_limits.pypi_max_file_size
           )
         end
       end