Fix security breaching

2017-09-04 21:53:19 +09:00 · 2017-09-04 21:53:19 +09:00 · 2f906430fa
parent bb22989c38
commit 2f906430fa
2 changed files with 14 additions and 2 deletions
--- a/lib/api/pipeline_schedules.rb
+++ b/lib/api/pipeline_schedules.rb
@ -167,7 +167,7 @@ module API
            .pipeline_schedules
            .preload(:owner, :last_pipeline)
            .find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule|
-              unless pipeline_schedule || can?(current_user, :read_pipeline_schedule, pipeline_schedule)
+              unless can?(current_user, :read_pipeline_schedule, pipeline_schedule)
                not_found!('Pipeline Schedule')
              end
            end
--- a/spec/requests/api/pipeline_schedules_spec.rb
+++ b/spec/requests/api/pipeline_schedules_spec.rb
@ -3,7 +3,7 @@ require 'spec_helper'
 describe API::PipelineSchedules do
  set(:developer) { create(:user) }
  set(:user) { create(:user) }
-  set(:project) { create(:project, :repository) }
+  set(:project) { create(:project, :repository, public_builds: false) }

  before do
    project.add_developer(developer)
@ -110,6 +110,18 @@ describe API::PipelineSchedules do
      end
    end

+    context 'authenticated user with insufficient permissions' do
+      before do
+        project.add_guest(user)
+      end
+
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
    context 'unauthenticated user' do
      it 'does not return pipeline_schedules list' do
        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")