Don't display badges when builds are restricted
Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
This commit is contained in:
parent
0cd59a756c
commit
1c42f748f8
|
@ -3,7 +3,8 @@
|
|||
class Projects::BadgesController < Projects::ApplicationController
|
||||
layout 'project_settings'
|
||||
before_action :authorize_admin_project!, only: [:index]
|
||||
before_action :no_cache_headers, except: [:index]
|
||||
before_action :no_cache_headers, only: [:pipeline, :coverage]
|
||||
before_action :authorize_read_build!, only: [:pipeline, :coverage]
|
||||
|
||||
def pipeline
|
||||
pipeline_status = Gitlab::Badge::Pipeline::Status
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Show badges if pipelines are public otherwise default to project permissions.
|
||||
erge_request:
|
||||
author:
|
||||
type: security
|
|
@ -7,32 +7,54 @@ describe Projects::BadgesController do
|
|||
let!(:pipeline) { create(:ci_empty_pipeline) }
|
||||
let(:user) { create(:user) }
|
||||
|
||||
shared_examples 'a badge resource' do |badge_type|
|
||||
context 'when pipelines are public' do
|
||||
before do
|
||||
project.update!(public_builds: true)
|
||||
end
|
||||
|
||||
context 'when project is public' do
|
||||
before do
|
||||
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
|
||||
end
|
||||
|
||||
it "returns the #{badge_type} badge to unauthenticated users" do
|
||||
get_badge(badge_type)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when project is restricted' do
|
||||
before do
|
||||
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
|
||||
project.add_guest(user)
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
it "returns the #{badge_type} badge to guest users" do
|
||||
get_badge(badge_type)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'format' do
|
||||
before do
|
||||
project.add_maintainer(user)
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
it 'requests the pipeline badge successfully' do
|
||||
get_badge(:pipeline)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
|
||||
it 'requests the coverage badge successfully' do
|
||||
get_badge(:coverage)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
|
||||
it 'renders the `flat` badge layout by default' do
|
||||
get_badge(:coverage)
|
||||
get_badge(badge_type)
|
||||
|
||||
expect(response).to render_template('projects/badges/badge')
|
||||
end
|
||||
|
||||
context 'when style param is set to `flat`' do
|
||||
it 'renders the `flat` badge layout' do
|
||||
get_badge(:coverage, 'flat')
|
||||
get_badge(badge_type, 'flat')
|
||||
|
||||
expect(response).to render_template('projects/badges/badge')
|
||||
end
|
||||
|
@ -40,7 +62,7 @@ describe Projects::BadgesController do
|
|||
|
||||
context 'when style param is set to an invalid type' do
|
||||
it 'renders the `flat` (default) badge layout' do
|
||||
get_badge(:coverage, 'xxx')
|
||||
get_badge(badge_type, 'xxx')
|
||||
|
||||
expect(response).to render_template('projects/badges/badge')
|
||||
end
|
||||
|
@ -48,11 +70,53 @@ describe Projects::BadgesController do
|
|||
|
||||
context 'when style param is set to `flat-square`' do
|
||||
it 'renders the `flat-square` badge layout' do
|
||||
get_badge(:coverage, 'flat-square')
|
||||
get_badge(badge_type, 'flat-square')
|
||||
|
||||
expect(response).to render_template('projects/badges/badge_flat-square')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when pipelines are not public' do
|
||||
before do
|
||||
project.update!(public_builds: false)
|
||||
end
|
||||
|
||||
context 'when project is public' do
|
||||
before do
|
||||
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
|
||||
end
|
||||
|
||||
it 'returns 404 to unauthenticated users' do
|
||||
get_badge(badge_type)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when project is restricted to the user' do
|
||||
before do
|
||||
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
|
||||
project.add_guest(user)
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
it 'defaults to project permissions' do
|
||||
get_badge(:coverage)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#pipeline' do
|
||||
it_behaves_like 'a badge resource', :pipeline
|
||||
end
|
||||
|
||||
describe '#coverage' do
|
||||
it_behaves_like 'a badge resource', :coverage
|
||||
end
|
||||
|
||||
def get_badge(badge, style = nil)
|
||||
params = {
|
||||
|
|
Loading…
Reference in New Issue