kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Authorize read_build action when listing jobs

This commit is contained in:
Matija Čupić 2018-12-14 16:36:33 +01:00
parent f9fd9b1def
commit c7ea28612a
No known key found for this signature in database
GPG Key ID: 4BAF84FFACD2E5DE
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/api/jobs.rb
View File

@ -38,6 +38,8 @@ module API
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
get ':id/jobs' do get ':id/jobs' do
authorize_read_builds!
builds = user_project.builds.order('id DESC') builds = user_project.builds.order('id DESC')
builds = filter_builds(builds, params[:scope]) builds = filter_builds(builds, params[:scope])

10
spec/requests/api/jobs_spec.rb
View File

@ -142,6 +142,7 @@ describe API::Jobs do
end end
context 'unauthorized user' do context 'unauthorized user' do
context 'when user is not logged in' do
let(:api_user) { nil } let(:api_user) { nil }
it 'does not return project jobs' do it 'does not return project jobs' do
@ -149,6 +150,15 @@ describe API::Jobs do
end end
end end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return project jobs' do
expect(response).to have_gitlab_http_status(403)
end
end
end
def go def go
get api("/projects/#{project.id}/jobs", api_user), params: query get api("/projects/#{project.id}/jobs", api_user), params: query
end end