diff options
| author | Matija Čupić <matteeyah@gmail.com> | 2018-12-14 16:36:33 +0100 |
|---|---|---|
| committer | Matija Čupić <matteeyah@gmail.com> | 2018-12-19 14:50:35 +0100 |
| commit | c7ea28612a210811696dae50d6ca948c85566da2 (patch) | |
| tree | 6b5f8bcf31df78bb63d482c9eb1f6fc234b7d5a4 | |
| parent | f9fd9b1def8dec9800f8d3857ee278ed6dca03c3 (diff) | |
| download | gitlab-ce-c7ea28612a210811696dae50d6ca948c85566da2.tar.gz | |
Authorize read_build action when listing jobs
| -rw-r--r-- | lib/api/jobs.rb | 2 | ||||
| -rw-r--r-- | spec/requests/api/jobs_spec.rb | 16 |
2 files changed, 15 insertions, 3 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 80a5cbd6b19..3cfeb9a2784 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -38,6 +38,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do + authorize_read_builds! + builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb index 73131dba542..6deb842b0bc 100644 --- a/spec/requests/api/jobs_spec.rb +++ b/spec/requests/api/jobs_spec.rb @@ -142,10 +142,20 @@ describe API::Jobs do end context 'unauthorized user' do - let(:api_user) { nil } + context 'when user is not logged in' do + let(:api_user) { nil } - it 'does not return project jobs' do - expect(response).to have_gitlab_http_status(401) + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(401) + end + end + + context 'when user is guest' do + let(:api_user) { guest } + + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(403) + end end end |