diff options
author | Matija Čupić <matteeyah@gmail.com> | 2018-12-14 16:42:04 +0100 |
---|---|---|
committer | Matija Čupić <matteeyah@gmail.com> | 2018-12-22 12:11:31 +0100 |
commit | b19065594989d13a417660fc346f6213cd73674d (patch) | |
tree | d6621e4de69aad1bc077a2bf031ec78231041f3b | |
parent | bd96ffb2ee863890f71c67b19230cfe2761c9612 (diff) | |
download | gitlab-ce-b19065594989d13a417660fc346f6213cd73674d.tar.gz |
Authorize read_build when listing pipeline jobs
-rw-r--r-- | lib/api/jobs.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/jobs_spec.rb | 16 |
2 files changed, 15 insertions, 3 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 3cfeb9a2784..bd704f3bf25 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -59,6 +59,8 @@ module API # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) + authorize!(:read_build, pipeline) + builds = pipeline.builds builds = filter_builds(builds, params[:scope]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb index fcb704379b1..402031075e7 100644 --- a/spec/requests/api/jobs_spec.rb +++ b/spec/requests/api/jobs_spec.rb @@ -251,10 +251,20 @@ describe API::Jobs do end context 'unauthorized user' do - let(:api_user) { nil } + context 'when user is not logged in' do + let(:api_user) { nil } - it 'does not return jobs' do - expect(response).to have_gitlab_http_status(401) + it 'does not return jobs' do + expect(response).to have_gitlab_http_status(401) + end + end + + context 'when user is guest' do + let(:api_user) { guest } + + it 'does not return jobs' do + expect(response).to have_gitlab_http_status(403) + end end end end |