Gate MR head_pipeline behind read_pipeline ability

2019-06-08 18:13:31 +02:00 · 2019-06-08 18:13:31 +02:00 · 5f0687d07a
parent 2a01cb7956
commit 5f0687d07a
2 changed files with 28 additions and 1 deletions
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@ -755,7 +755,9 @@ module API
        merge_request.metrics&.pipeline
      end

-      expose :head_pipeline, using: 'API::Entities::Pipeline'
+      expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do
+        Ability.allowed?(options[:current_user], :read_pipeline, options[:project])
+      end

      expose :diff_refs, using: Entities::DiffRefs

--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@ -834,6 +834,31 @@ describe API::MergeRequests do
      end
    end

+    context 'head_pipeline' do
+      before do
+        merge_request.update(head_pipeline: create(:ci_pipeline))
+        merge_request.project.project_feature.update(builds_access_level: 10)
+      end
+
+      context 'when user can read the pipeline' do
+        it 'exposes pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", user)
+
+          expect(json_response).to include('head_pipeline')
+        end
+      end
+
+      context 'when user can not read the pipeline' do
+        let(:guest) { create(:user) }
+
+        it 'does not expose pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", guest)
+
+          expect(json_response).not_to include('head_pipeline')
+        end
+      end
+    end
+
    it 'returns the commits behind the target branch when include_diverged_commits_count is present' do
      allow_any_instance_of(merge_request.class).to receive(:diverged_commits_count).and_return(1)