Authorize read_build action when listing jobs
This commit is contained in:
parent
f9fd9b1def
commit
c7ea28612a
|
@ -38,6 +38,8 @@ module API
|
|||
end
|
||||
# rubocop: disable CodeReuse/ActiveRecord
|
||||
get ':id/jobs' do
|
||||
authorize_read_builds!
|
||||
|
||||
builds = user_project.builds.order('id DESC')
|
||||
builds = filter_builds(builds, params[:scope])
|
||||
|
||||
|
|
|
@ -142,6 +142,7 @@ describe API::Jobs do
|
|||
end
|
||||
|
||||
context 'unauthorized user' do
|
||||
context 'when user is not logged in' do
|
||||
let(:api_user) { nil }
|
||||
|
||||
it 'does not return project jobs' do
|
||||
|
@ -149,6 +150,15 @@ describe API::Jobs do
|
|||
end
|
||||
end
|
||||
|
||||
context 'when user is guest' do
|
||||
let(:api_user) { guest }
|
||||
|
||||
it 'does not return project jobs' do
|
||||
expect(response).to have_gitlab_http_status(403)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def go
|
||||
get api("/projects/#{project.id}/jobs", api_user), params: query
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue