# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-02-08 20:30:23
# Node ID 4543c26e14b6d7ed09934b67f987b145b4223321
# Parent  a1d7ee0596d395d4b9759cefe50063e1e93c6403

api: validate commit_id when using commit_comment API

diff --git a/rhodecode/api/tests/test_comment_commit.py b/rhodecode/api/tests/test_comment_commit.py
--- a/rhodecode/api/tests/test_comment_commit.py
+++ b/rhodecode/api/tests/test_comment_commit.py
@@ -33,9 +33,29 @@ class TestCommentCommit(object):
             self.apikey, 'comment_commit', repoid=repo.repo_name,
             commit_id='tip', message='message', status_change=None)
         response = api_call(self.app, params)
-        expected = 'failed to set comment on repository `%s`' % repo.repo_name
+        expected = 'There are no commits yet'
         assert_error(id_, expected, given=response.body)
 
+    @pytest.mark.parametrize("commit_id, expected_err", [
+        ('abcabca', {'hg': 'Commit {commit} does not exist for {repo}',
+                     'git': 'Commit {commit} does not exist for {repo}',
+                     'svn': 'Commit id {commit} not understood.'}),
+        ('idontexist', {'hg': 'Commit {commit} does not exist for {repo}',
+                        'git': 'Commit {commit} does not exist for {repo}',
+                        'svn': 'Commit id {commit} not understood.'}),
+    ])
+    def test_api_comment_commit_wrong_hash(self, backend, commit_id, expected_err):
+        repo_name = backend.repo.repo_name
+        id_, params = build_data(
+            self.apikey, 'comment_commit', repoid=repo_name,
+            commit_id=commit_id, message='message', status_change=None)
+        response = api_call(self.app, params)
+
+        expected_err = expected_err[backend.alias]
+        expected_err = expected_err.format(
+            repo=backend.repo.scm_instance(), commit=commit_id)
+        assert_error(id_, expected_err, given=response.body)
+
     @pytest.mark.parametrize("status_change, message, commit_id", [
         (None, 'Hallo', 'tip'),
         (ChangesetStatus.STATUS_APPROVED, 'Approved', 'tip'),
@@ -44,6 +64,9 @@ class TestCommentCommit(object):
     def test_api_comment_commit(
             self, backend, status_change, message, commit_id,
             no_notifications):
+
+        commit_id = backend.repo.scm_instance().get_changeset(commit_id).raw_id
+
         id_, params = build_data(
             self.apikey, 'comment_commit', repoid=backend.repo_name,
             commit_id=commit_id, message=message, status=status_change)
diff --git a/rhodecode/api/views/repo_api.py b/rhodecode/api/views/repo_api.py
--- a/rhodecode/api/views/repo_api.py
+++ b/rhodecode/api/views/repo_api.py
@@ -30,9 +30,9 @@ from rhodecode.api.utils import (
     get_perm_or_error, parse_args, get_origin, build_commit_data,
     validate_set_owner_permissions)
 from rhodecode.lib.auth import HasPermissionAnyApi, HasUserGroupPermissionAnyApi
-from rhodecode.lib.exceptions import StatusChangeOnClosedPullRequestError
 from rhodecode.lib.utils2 import str2bool, time_to_datetime
 from rhodecode.lib.ext_json import json
+from rhodecode.lib.exceptions import StatusChangeOnClosedPullRequestError
 from rhodecode.model.changeset_status import ChangesetStatusModel
 from rhodecode.model.comment import CommentsModel
 from rhodecode.model.db import (
@@ -1426,6 +1426,12 @@ def comment_commit(
         _perms = ('repository.read', 'repository.write', 'repository.admin')
         validate_repo_permissions(apiuser, repoid, repo, _perms)
 
+    try:
+        commit_id = repo.scm_instance().get_commit(commit_id=commit_id).raw_id
+    except Exception as e:
+        log.exception('Failed to fetch commit')
+        raise JSONRPCError(e.message)
+
     if isinstance(userid, Optional):
         userid = apiuser.user_id