c3e89fa568
403 leaks information about whether the requested project exists. This approach for projects is now similar to how we treat other nested objects, where we retrieve from an authorized dataset, instead of retrieving the object and then (hopefully) performing authorization on it. It should also be faster as it eliminates an unnecessary query. Unfortunatley, the route specs mock Project.[] in quite a few places. To avoid a bunch of spec churn, add Clover.authorized_project, and change the mocking to mock that instead. As a consequence of this handling, deleting an unauthorized project now returns 204 instead of 403. I believe that is how deletion of other unauthorized objects is handled, so the behavior is now more consistent, but it is something to be aware of.
5.5 KiB
5.5 KiB