Merge branch 'security-11-4-guests-jobs-api' into 'security-11-4'

[11.4] Guest users have access to all Job information via the API See merge request gitlab/gitlabhq!2746
author: John Jarvis <jarv@gitlab.com> 2018-12-27 08:36:10 +0000
committer: John Jarvis <jarv@gitlab.com> 2018-12-27 08:36:10 +0000
commit: dc4f76e390d30e8d176cbbb5b7b523033f592b33 (patch)
tree: 7bb04f91b85754b3870d20d7c56c26ecefadbe8c
parent: f6669b785f6efe2fe59bd1a4b2de8b8d52d4f3d3 (diff)
parent: b9c70e0d86270d60b05d03f812c4801df39cd460 (diff)
download: gitlab-ce-dc4f76e390d30e8d176cbbb5b7b523033f592b33.tar.gz
3 files changed, 36 insertions, 6 deletions
diff --git a/changelogs/unreleased/security-11-4-guests-jobs-api.yml b/changelogs/unreleased/security-11-4-guests-jobs-api.yml
new file mode 100644
index 00000000000..83022e91aca
--- /dev/null
+++ b/changelogs/unreleased/security-11-4-guests-jobs-api.yml
@@ -0,0 +1,5 @@
+---
+title: Authorize before reading job information via API.
+merge_request:
+author:
+type: security
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index fa992b9a440..87278631a9e 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/jobs' do
+        authorize_read_builds!
+
         builds = user_project.builds.order('id DESC')
         builds = filter_builds(builds, params[:scope])
 
@@ -56,7 +58,10 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/pipelines/:pipeline_id/jobs' do
+        authorize!(:read_pipeline, user_project)
         pipeline = user_project.pipelines.find(params[:pipeline_id])
+        authorize!(:read_build, pipeline)
+
         builds = pipeline.builds
         builds = filter_builds(builds, params[:scope])
         builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 8770365c893..402031075e7 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
     end
 
     context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }
 
-      it 'does not return project jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
 
@@ -241,10 +251,20 @@ describe API::Jobs do
     end
 
     context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }
 
-      it 'does not return jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
   end
author	John Jarvis <jarv@gitlab.com>	2018-12-27 08:36:10 +0000
committer	John Jarvis <jarv@gitlab.com>	2018-12-27 08:36:10 +0000
commit	dc4f76e390d30e8d176cbbb5b7b523033f592b33 (patch)
tree	7bb04f91b85754b3870d20d7c56c26ecefadbe8c
parent	f6669b785f6efe2fe59bd1a4b2de8b8d52d4f3d3 (diff)
parent	b9c70e0d86270d60b05d03f812c4801df39cd460 (diff)
download	gitlab-ce-dc4f76e390d30e8d176cbbb5b7b523033f592b33.tar.gz