diff options
author | Matija Čupić <matteeyah@gmail.com> | 2018-12-14 16:36:33 +0100 |
---|---|---|
committer | Matija Čupić <matteeyah@gmail.com> | 2018-12-22 12:11:25 +0100 |
commit | bd96ffb2ee863890f71c67b19230cfe2761c9612 (patch) | |
tree | b9e812a5f7f72ee5daca881872b8013b53e2cd33 | |
parent | d2120ff1e705799752e7d9704cae3f1896d8e186 (diff) | |
download | gitlab-ce-bd96ffb2ee863890f71c67b19230cfe2761c9612.tar.gz |
Authorize read_build action when listing jobs
-rw-r--r-- | lib/api/jobs.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/jobs_spec.rb | 16 |
2 files changed, 15 insertions, 3 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 80a5cbd6b19..3cfeb9a2784 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -38,6 +38,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do + authorize_read_builds! + builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb index 8770365c893..fcb704379b1 100644 --- a/spec/requests/api/jobs_spec.rb +++ b/spec/requests/api/jobs_spec.rb @@ -142,10 +142,20 @@ describe API::Jobs do end context 'unauthorized user' do - let(:api_user) { nil } + context 'when user is not logged in' do + let(:api_user) { nil } - it 'does not return project jobs' do - expect(response).to have_gitlab_http_status(401) + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(401) + end + end + + context 'when user is guest' do + let(:api_user) { guest } + + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(403) + end end end |