Merge branch 'fix/deprecated-ci-badge-permissions' into 'master'

Fix permissions for deprecated CI build status badge

This fixes permissions for deprecated status badge, being unavailable even if project is public.

Closes #13324

See merge request !3030

3 files changed, 56 insertions, 0 deletions

diff --git a/CHANGELOG b/CHANGELOG
index d0842708803..39f470b9bfe 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,7 @@ v 8.5.2
   - Don't show any "2FA required" message if it's not actually required
   - Fix help keyboard shortcut on relative URL setups (Artem Sidorenko)
   - Update Rails to 4.2.5.2
+  - Fix permissions for deprecated CI build status badge
 
 v 8.5.1
   - Fix group projects styles
diff --git a/app/controllers/ci/projects_controller.rb b/app/controllers/ci/projects_controller.rb
index d1824b481d7..081e01a75e0 100644
--- a/app/controllers/ci/projects_controller.rb
+++ b/app/controllers/ci/projects_controller.rb
@@ -3,6 +3,7 @@ module Ci
     before_action :project
     before_action :authorize_read_project!, except: [:badge]
     before_action :no_cache, only: [:badge]
+    skip_before_action :authenticate_user!, only: [:badge]
     protect_from_forgery
 
     def show
@@ -18,6 +19,7 @@ module Ci
     #
     def badge
       return render_404 unless @project
+
       image = Ci::ImageForBuildService.new.execute(@project, params)
       send_file image.path, filename: image.name, disposition: 'inline', type:"image/svg+xml"
     end
diff --git a/spec/controllers/ci/projects_controller_spec.rb b/spec/controllers/ci/projects_controller_spec.rb
new file mode 100644
index 00000000000..db0748f323f
--- /dev/null
+++ b/spec/controllers/ci/projects_controller_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe Ci::ProjectsController do
+  let(:visibility) { :public }
+  let!(:project) { create(:project, visibility, ci_id: 1) }
+  let(:ci_id) { project.ci_id }
+
+  ##
+  # Specs for *deprecated* CI badge
+  #
+  describe '#badge' do
+    shared_examples 'badge provider' do
+      it 'shows badge' do
+        expect(response.status).to eq 200
+        expect(response.headers)
+          .to include('Content-Type' => 'image/svg+xml')
+      end
+    end
+
+    context 'user not signed in' do
+      before { get(:badge, id: ci_id) }
+
+      context 'project has no ci_id reference' do
+        let(:ci_id) { 123 }
+
+        it 'returns 404' do
+          expect(response.status).to eq 404
+        end
+      end
+
+      context 'project is public' do
+        let(:visibility) { :public }
+        it_behaves_like 'badge provider'
+      end
+
+      context 'project is private' do
+        let(:visibility) { :private }
+        it_behaves_like 'badge provider'
+      end
+    end
+
+    context 'user signed in' do
+      let(:user) { create(:user) }
+      before { sign_in(user) }
+      before { get(:badge, id: ci_id) }
+
+      context 'private is internal' do
+        let(:visibility) { :internal }
+        it_behaves_like 'badge provider'
+      end
+    end
+  end
+end