summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatija Čupić <matteeyah@gmail.com>2018-12-14 16:36:33 +0100
committerMatija Čupić <matteeyah@gmail.com>2018-12-22 12:11:25 +0100
commitbd96ffb2ee863890f71c67b19230cfe2761c9612 (patch)
treeb9e812a5f7f72ee5daca881872b8013b53e2cd33
parentd2120ff1e705799752e7d9704cae3f1896d8e186 (diff)
downloadgitlab-ce-bd96ffb2ee863890f71c67b19230cfe2761c9612.tar.gz
Authorize read_build action when listing jobs
Diffstat
-rw-r--r--lib/api/jobs.rb2
-rw-r--r--spec/requests/api/jobs_spec.rb16
2 files changed, 15 insertions, 3 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index 80a5cbd6b19..3cfeb9a2784 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
end
# rubocop: disable CodeReuse/ActiveRecord
get ':id/jobs' do
+ authorize_read_builds!
+
builds = user_project.builds.order('id DESC')
builds = filter_builds(builds, params[:scope])
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 8770365c893..fcb704379b1 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
end
context 'unauthorized user' do
- let(:api_user) { nil }
+ context 'when user is not logged in' do
+ let(:api_user) { nil }
- it 'does not return project jobs' do
- expect(response).to have_gitlab_http_status(401)
+ it 'does not return project jobs' do
+ expect(response).to have_gitlab_http_status(401)
+ end
+ end
+
+ context 'when user is guest' do
+ let(:api_user) { guest }
+
+ it 'does not return project jobs' do
+ expect(response).to have_gitlab_http_status(403)
+ end
end
end
View Lorry Controller Status