Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
This commit is contained in:
parent
80c57bf6d1
commit
f7fbf49929
|
@ -12,6 +12,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
|
|||
skip_before_action :merge_request, only: [:index, :bulk_update]
|
||||
before_action :whitelist_query_limiting, only: [:assign_related_issues, :update]
|
||||
before_action :authorize_update_issuable!, only: [:close, :edit, :update, :remove_wip, :sort]
|
||||
before_action :authorize_test_reports!, only: [:test_reports]
|
||||
before_action :set_issuables_index, only: [:index]
|
||||
before_action :authenticate_user!, only: [:assign_related_issues]
|
||||
before_action :check_user_can_push_to_source_branch!, only: [:rebase]
|
||||
|
@ -336,4 +337,9 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
|
|||
render json: { status_reason: 'Unknown error' }, status: :internal_server_error
|
||||
end
|
||||
end
|
||||
|
||||
def authorize_test_reports!
|
||||
# MergeRequest#actual_head_pipeline is the pipeline accessed in MergeRequest#compare_reports.
|
||||
return render_404 unless can?(current_user, :read_build, merge_request.actual_head_pipeline)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
title: Restrict MergeRequests#test_reports to authenticated users with read-access
|
||||
on Builds
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -719,19 +719,63 @@ describe Projects::MergeRequestsController do
|
|||
end
|
||||
|
||||
describe 'GET test_reports' do
|
||||
let(:merge_request) do
|
||||
create(:merge_request,
|
||||
:with_diffs,
|
||||
:with_merge_request_pipeline,
|
||||
target_project: project,
|
||||
source_project: project
|
||||
)
|
||||
end
|
||||
|
||||
subject do
|
||||
get :test_reports,
|
||||
params: {
|
||||
namespace_id: project.namespace.to_param,
|
||||
project_id: project,
|
||||
id: merge_request.iid
|
||||
},
|
||||
format: :json
|
||||
get :test_reports, params: {
|
||||
namespace_id: project.namespace.to_param,
|
||||
project_id: project,
|
||||
id: merge_request.iid
|
||||
},
|
||||
format: :json
|
||||
end
|
||||
|
||||
before do
|
||||
allow_any_instance_of(MergeRequest)
|
||||
.to receive(:compare_test_reports).and_return(comparison_status)
|
||||
.to receive(:compare_test_reports)
|
||||
.and_return(comparison_status)
|
||||
|
||||
allow_any_instance_of(MergeRequest)
|
||||
.to receive(:actual_head_pipeline)
|
||||
.and_return(merge_request.all_pipelines.take)
|
||||
end
|
||||
|
||||
describe 'permissions on a public project with private CI/CD' do
|
||||
let(:project) { create :project, :repository, :public, :builds_private }
|
||||
let(:comparison_status) { { status: :parsed, data: { summary: 1 } } }
|
||||
|
||||
context 'while signed out' do
|
||||
before do
|
||||
sign_out(user)
|
||||
end
|
||||
|
||||
it 'responds with a 404' do
|
||||
subject
|
||||
|
||||
expect(response).to have_gitlab_http_status(404)
|
||||
expect(response.body).to be_blank
|
||||
end
|
||||
end
|
||||
|
||||
context 'while signed in as an unrelated user' do
|
||||
before do
|
||||
sign_in(create(:user))
|
||||
end
|
||||
|
||||
it 'responds with a 404' do
|
||||
subject
|
||||
|
||||
expect(response).to have_gitlab_http_status(404)
|
||||
expect(response.body).to be_blank
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when comparison is being processed' do
|
||||
|
|
Loading…
Reference in New Issue