Read pipelines from public projects though API

Allow users to read pipelines for public projects with public builds enabled without providing an access token.
author: Marius Bobin <mbobin@gitlab.com> 2019-08-14 17:36:33 +0300
committer: Marius Bobin <mbobin@gitlab.com> 2019-08-22 11:39:51 +0300
commit: 1587b6aed9aa1555c612ae674e94231726537ecb (patch)
tree: 47967982b461534c9c54280b136d7d23c92a876c
parent: 7b5708d1d944547dfea9bc8b6b8e1c6c6e22901b (diff)
download: gitlab-ce-1587b6aed9aa1555c612ae674e94231726537ecb.tar.gz
2 files changed, 51 insertions, 1 deletions
diff --git a/lib/api/pipelines.rb b/lib/api/pipelines.rb
index 667bf1ec801..9e888368e7b 100644
--- a/lib/api/pipelines.rb
+++ b/lib/api/pipelines.rb
@@ -4,7 +4,7 @@ module API
   class Pipelines < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before { authenticate_non_get! }
 
     params do
       requires :id, type: String, desc: 'The project ID'
@@ -32,6 +32,7 @@ module API
       end
       get ':id/pipelines' do
         authorize! :read_pipeline, user_project
+        authorize! :read_build, user_project
 
         pipelines = PipelinesFinder.new(user_project, current_user, params).execute
         present paginate(pipelines), with: Entities::PipelineBasic
diff --git a/spec/requests/api/pipelines_spec.rb b/spec/requests/api/pipelines_spec.rb
index 35b3dd219f7..c87ab433e1e 100644
--- a/spec/requests/api/pipelines_spec.rb
+++ b/spec/requests/api/pipelines_spec.rb
@@ -285,6 +285,55 @@ describe API::Pipelines do
         expect(json_response).not_to be_an Array
       end
     end
+
+    context 'projects with public visibility' do
+      let(:visibility) { 'public' }
+      let(:project) { create(:project, :repository, creator: user, visibility: visibility, public_builds: public_builds) }
+
+      context 'with public builds' do
+        let(:public_builds) { true }
+
+        context 'with non assigned user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines", non_member)
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(json_response).to be_an Array
+          end
+        end
+
+        context 'without any user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines")
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(json_response).to be_an Array
+          end
+        end
+      end
+
+      context 'without public builds' do
+        let(:public_builds) { false }
+
+        context 'with non assigned user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines", non_member)
+
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response).not_to be_an Array
+          end
+        end
+
+        context 'without any user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines")
+
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response).not_to be_an Array
+          end
+        end
+      end
+    end
   end
 
   describe 'POST /projects/:id/pipeline ' do
author	Marius Bobin <mbobin@gitlab.com>	2019-08-14 17:36:33 +0300
committer	Marius Bobin <mbobin@gitlab.com>	2019-08-22 11:39:51 +0300
commit	1587b6aed9aa1555c612ae674e94231726537ecb (patch)
tree	47967982b461534c9c54280b136d7d23c92a876c
parent	7b5708d1d944547dfea9bc8b6b8e1c6c6e22901b (diff)
download	gitlab-ce-1587b6aed9aa1555c612ae674e94231726537ecb.tar.gz