kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Authorize read_build when listing pipeline jobs

Browse source
This commit is contained in:
Matija Čupić 2018-12-14 16:42:04 +01:00
parent c7ea28612a
commit a1c77f2d34
No known key found for this signature in database
GPG key ID: 4BAF84FFACD2E5DE
2 changed files with 15 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/api/jobs.rb
View file

@ -59,6 +59,8 @@ module API
# rubocop: disable CodeReuse/ActiveRecord
get ':id/pipelines/:pipeline_id/jobs' do
pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
authorize!(:read_build, pipeline)
builds = pipeline.builds
builds = filter_builds(builds, params[:scope])
builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])

16
spec/requests/api/jobs_spec.rb
View file

@ -251,10 +251,20 @@ describe API::Jobs do
end
context 'unauthorized user' do
let(:api_user) { nil }
context 'when user is not logged in' do
let(:api_user) { nil }
it 'does not return jobs' do
expect(response).to have_gitlab_http_status(401)
it 'does not return jobs' do
expect(response).to have_gitlab_http_status(401)
end
end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return jobs' do
expect(response).to have_gitlab_http_status(403)
end
end
end
end