diff options
| author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-03-01 13:59:19 +0100 |
|---|---|---|
| committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-03-01 13:59:19 +0100 |
| commit | 814d853a1af2a06bc19ecf60d78ef8fd99b3f682 (patch) | |
| tree | 8c8bcfe0be16f9e92a7de3274a700e608138c1d8 | |
| parent | 3292940745653a76dadd169a203619c5dfeebd4e (diff) | |
| download | gitlab-ce-814d853a1af2a06bc19ecf60d78ef8fd99b3f682.tar.gz | |
Fix deprecated CI build status badge permissions
| -rw-r--r-- | app/controllers/ci/projects_controller.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/ci/projects_controller_spec.rb | 53 |
2 files changed, 56 insertions, 0 deletions
diff --git a/app/controllers/ci/projects_controller.rb b/app/controllers/ci/projects_controller.rb index d1824b481d7..471cebc82f6 100644 --- a/app/controllers/ci/projects_controller.rb +++ b/app/controllers/ci/projects_controller.rb @@ -3,6 +3,7 @@ module Ci before_action :project before_action :authorize_read_project!, except: [:badge] before_action :no_cache, only: [:badge] + skip_before_action :authenticate_user!, only: [:badge] protect_from_forgery def show @@ -18,6 +19,8 @@ module Ci # def badge return render_404 unless @project + authenticate_user! unless @project.public? + image = Ci::ImageForBuildService.new.execute(@project, params) send_file image.path, filename: image.name, disposition: 'inline', type:"image/svg+xml" end diff --git a/spec/controllers/ci/projects_controller_spec.rb b/spec/controllers/ci/projects_controller_spec.rb new file mode 100644 index 00000000000..e048c5a51ed --- /dev/null +++ b/spec/controllers/ci/projects_controller_spec.rb @@ -0,0 +1,53 @@ +require 'spec_helper' + +describe Ci::ProjectsController do + let(:visibility) { :public } + let!(:project) { create(:project, visibility, ci_id: 1) } + let(:ci_id) { project.ci_id } + + ## + # Specs for *deprecated* CI badge + # + describe '#badge' do + context 'user not signed in' + before { get(:badge, id: ci_id) } + + context 'project has no ci_id reference' do + let(:ci_id) { 123 } + + it 'returns 404' do + expect(response.status).to eq 404 + end + end + + context 'project is public' do + let(:visibility) { :public } + + it 'is available without authentication' do + expect(response.status).to eq 200 + end + end + + context 'project is private' do + let(:visibility) { :private } + + it 'requires authentication' do + expect(response.status).to eq 302 + end + end + + context 'user signed in' do + let(:user) { create(:user) } + before { sign_in(user) } + before { get(:badge, id: ci_id) } + + context 'private is internal' do + let(:visibility) { :internal } + + it 'shows badge to signed in user' do + expect(response.status).to eq 200 + end + end + end + end +end |