diff options
| author | James Lopez <james@jameslopez.es> | 2016-11-15 16:25:37 +0100 |
|---|---|---|
| committer | James Lopez <james@jameslopez.es> | 2016-11-17 08:22:59 +0100 |
| commit | 633ddc9ed98c690c082c7347422ac85f9b592fb4 (patch) | |
| tree | 10fdc47517922266814a8286a8f8c137432022f1 | |
| parent | f93607a305346607f4296c266d40be1692febbec (diff) | |
| download | gitlab-ce-633ddc9ed98c690c082c7347422ac85f9b592fb4.tar.gz | |
fix authorization of builds and added relevant spec
| -rw-r--r-- | app/controllers/projects/cycle_analytics/events_controller.rb | 6 | ||||
| -rw-r--r-- | spec/requests/projects/cycle_analytics_events_spec.rb | 26 |
2 files changed, 30 insertions, 2 deletions
diff --git a/app/controllers/projects/cycle_analytics/events_controller.rb b/app/controllers/projects/cycle_analytics/events_controller.rb index cc75dc247d3..cb52dfc830a 100644 --- a/app/controllers/projects/cycle_analytics/events_controller.rb +++ b/app/controllers/projects/cycle_analytics/events_controller.rb @@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll include CycleAnalyticsParams before_action :authorize_read_cycle_analytics! - before_action :authorize_read_builds!, only: [:test, :staging] + before_action :authorize_builds!, only: [:test, :staging] def issue render_events(events.issue_events) @@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll params[:events].slice(:start_date, :branch_name) end + + def authorize_builds! + return access_denied! unless current_user.can?(:read_build, project) + end end diff --git a/spec/requests/projects/cycle_analytics_events_spec.rb b/spec/requests/projects/cycle_analytics_events_spec.rb index d4da8707ea5..ef6e4c80911 100644 --- a/spec/requests/projects/cycle_analytics_events_spec.rb +++ b/spec/requests/projects/cycle_analytics_events_spec.rb @@ -39,7 +39,7 @@ describe 'cycle analytics events' do newest_sha = commits.sort_by { |k| k['date'] }.first[:sha][0...8] - expect(json_response['events'].first['sha']).to eq(newest_sha) + expect(json_response['events'].first['short_sha']).to eq(newest_sha) end it 'lists the code events' do @@ -99,6 +99,30 @@ describe 'cycle analytics events' do expect(json_response['events'].first['date']).not_to be_empty end end + + context 'with private project and builds' do + before do + ProjectMember.first.update(access_level: Gitlab::Access::GUEST) + end + + it 'does not list the test events' do + get namespace_project_cycle_analytics_test_path(project.namespace, project, format: :json) + + expect(response).to have_http_status(:not_found) + end + + it 'does not list the staging events' do + get namespace_project_cycle_analytics_staging_path(project.namespace, project, format: :json) + + expect(response).to have_http_status(:not_found) + end + + it 'lists the issue events' do + get namespace_project_cycle_analytics_issue_path(project.namespace, project, format: :json) + + expect(response).to have_http_status(:ok) + end + end end def json_response |