API bug: can't see user_agent_detail for project_snippets
Summary
Snippets are Spammable, so carry a user_agent_detail with them. This can be queried via the API.
This works fine for snippets generally, but when trying to access via the project snippets API endpoint (https://docs.gitlab.com/ee/api/project_snippets.html#get-user-agent-details), the id
is taken to mean both the project ID and snippet ID. So unless they match exactly, you can't retrieve the details.
A separate problem is that the lookups aren't scoped by project ID, as they should be. Since the endpoint is only available to admins, this isn't a security issue, but it should be fixed anyway.
I need to fix this to make https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/16516 green, which I need to make https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/15681 green.
Steps to reproduce
- Create a project (say, ID 1)
- Create a snippet (say, ID 2)
- As an admin,
GET /api/v4/projects/1/snippets/2/user_agent_detail
What is the current bug behavior?
404 response. It's looking for a snippet with ID 1.
What is the expected correct behavior?
200 response. It should look for a snippet with ID 2.
Possible fixes
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/api/project_snippets.rb#L143