Fix security breaching

This commit is contained in:
Shinya Maeda 2017-09-04 21:53:19 +09:00
parent bb22989c38
commit 2f906430fa
2 changed files with 14 additions and 2 deletions

View file

@ -167,7 +167,7 @@ module API
.pipeline_schedules
.preload(:owner, :last_pipeline)
.find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule|
unless pipeline_schedule || can?(current_user, :read_pipeline_schedule, pipeline_schedule)
unless can?(current_user, :read_pipeline_schedule, pipeline_schedule)
not_found!('Pipeline Schedule')
end
end

View file

@ -3,7 +3,7 @@ require 'spec_helper'
describe API::PipelineSchedules do
set(:developer) { create(:user) }
set(:user) { create(:user) }
set(:project) { create(:project, :repository) }
set(:project) { create(:project, :repository, public_builds: false) }
before do
project.add_developer(developer)
@ -110,6 +110,18 @@ describe API::PipelineSchedules do
end
end
context 'authenticated user with insufficient permissions' do
before do
project.add_guest(user)
end
it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to have_http_status(:not_found)
end
end
context 'unauthenticated user' do
it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")