From 483933cf79363f6b0dd721dc62d9c8295c469ff3 Mon Sep 17 00:00:00 2001
From: Ethan Koenig <ethantkoenig@gmail.com>
Date: Thu, 6 Jul 2017 16:59:59 -0400
Subject: [PATCH 1/2] Check for access in /repositories/:id

---
 routers/api/v1/repo/repo.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index 178f1005e522b..edd6a72637aac 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -293,7 +293,10 @@ func GetByID(ctx *context.APIContext) {
 
 	access, err := models.AccessLevel(ctx.User.ID, repo)
 	if err != nil {
-		ctx.Error(500, "GetRepositoryByID", err)
+		ctx.Error(500, "AccessLevel", err)
+		return
+	} else if access < models.AccessModeRead {
+		ctx.Status(404)
 		return
 	}
 	ctx.JSON(200, repo.APIFormat(access))

From 6eb8974b69f524329f678391f2c7cec4e1a502e1 Mon Sep 17 00:00:00 2001
From: Ethan Koenig <ethantkoenig@gmail.com>
Date: Sat, 29 Jul 2017 16:22:51 -0700
Subject: [PATCH 2/2] Integration test

---
 integrations/api_repo_test.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index e89a6359ae34a..d5b1676d6eac3 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -84,3 +84,11 @@ func TestAPIOrgRepos(t *testing.T) {
 		assert.False(t, repo.Private)
 	}
 }
+
+func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
+	prepareTestEnv(t)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
+	sess := loginUser(t, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repositories/2")
+	sess.MakeRequest(t, req, http.StatusNotFound)
+}