stable
Clone or download
request #15069: Git LFS batch response endpoint should not return an error 500 for a permission denied
When returning a permission denied error the endpoint sets a 500 status code instead of 403. A similar issue can be observed when the endpoint throws a NotFoundException. This is caused by the specific handling of exception done in LFSJSONHTTPDispatchable. This specificity is needed to be compatible with the Git LFS specification [0]. However, the same issue could have happened elsewhere so this contribution fixes the issue by preventing developers to set an error code when instantiating a ForbiddenException or a NotFoundException and instead enforces the error code to be 403 or 404. Reproduction scenario: 1. Migrate a Git repository to Gerrit 2. With a standard user that can read the repository try to push some LFS objects to it with something like "GIT_TRACE=1 GIT_CURL_VERBOSE=1 git lfs push --all" [0] https://github.com/git-lfs/git-lfs/blob/v2.11.0/docs/api/batch.md#response-errors Change-Id: I7870cd2dbcabf067ef8b778f24bb7c10104571b0
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | src/common/Request/ForbiddenException.php | +6 | −5 | Go to diff View file |
| M | src/common/Request/NotFoundException.php | +8 | −3 | Go to diff View file |
| A | tests/unit/common/Request/ForbiddenExceptionTest.php | +41 | −0 | Go to diff View file |
| A | tests/unit/common/Request/NotFoundExceptionTest.php | +34 | −0 | Go to diff View file |