Authorize read_build action when listing jobs
This commit is contained in:
parent
f9fd9b1def
commit
c7ea28612a
|
@ -38,6 +38,8 @@ module API
|
||||||
end
|
end
|
||||||
# rubocop: disable CodeReuse/ActiveRecord
|
# rubocop: disable CodeReuse/ActiveRecord
|
||||||
get ':id/jobs' do
|
get ':id/jobs' do
|
||||||
|
authorize_read_builds!
|
||||||
|
|
||||||
builds = user_project.builds.order('id DESC')
|
builds = user_project.builds.order('id DESC')
|
||||||
builds = filter_builds(builds, params[:scope])
|
builds = filter_builds(builds, params[:scope])
|
||||||
|
|
||||||
|
|
|
@ -142,6 +142,7 @@ describe API::Jobs do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'unauthorized user' do
|
context 'unauthorized user' do
|
||||||
|
context 'when user is not logged in' do
|
||||||
let(:api_user) { nil }
|
let(:api_user) { nil }
|
||||||
|
|
||||||
it 'does not return project jobs' do
|
it 'does not return project jobs' do
|
||||||
|
@ -149,6 +150,15 @@ describe API::Jobs do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when user is guest' do
|
||||||
|
let(:api_user) { guest }
|
||||||
|
|
||||||
|
it 'does not return project jobs' do
|
||||||
|
expect(response).to have_gitlab_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def go
|
def go
|
||||||
get api("/projects/#{project.id}/jobs", api_user), params: query
|
get api("/projects/#{project.id}/jobs", api_user), params: query
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue