diff options
| author | John Jarvis <jarv@gitlab.com> | 2018-12-27 08:36:10 +0000 |
|---|---|---|
| committer | John Jarvis <jarv@gitlab.com> | 2018-12-27 08:36:10 +0000 |
| commit | dc4f76e390d30e8d176cbbb5b7b523033f592b33 (patch) | |
| tree | 7bb04f91b85754b3870d20d7c56c26ecefadbe8c | |
| parent | f6669b785f6efe2fe59bd1a4b2de8b8d52d4f3d3 (diff) | |
| parent | b9c70e0d86270d60b05d03f812c4801df39cd460 (diff) | |
| download | gitlab-ce-dc4f76e390d30e8d176cbbb5b7b523033f592b33.tar.gz | |
Merge branch 'security-11-4-guests-jobs-api' into 'security-11-4'
[11.4] Guest users have access to all Job information via the API
See merge request gitlab/gitlabhq!2746
| -rw-r--r-- | changelogs/unreleased/security-11-4-guests-jobs-api.yml | 5 | ||||
| -rw-r--r-- | lib/api/jobs.rb | 5 | ||||
| -rw-r--r-- | spec/requests/api/jobs_spec.rb | 32 |
3 files changed, 36 insertions, 6 deletions
diff --git a/changelogs/unreleased/security-11-4-guests-jobs-api.yml b/changelogs/unreleased/security-11-4-guests-jobs-api.yml new file mode 100644 index 00000000000..83022e91aca --- /dev/null +++ b/changelogs/unreleased/security-11-4-guests-jobs-api.yml @@ -0,0 +1,5 @@ +--- +title: Authorize before reading job information via API. +merge_request: +author: +type: security diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index fa992b9a440..87278631a9e 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -38,6 +38,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do + authorize_read_builds! + builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) @@ -56,7 +58,10 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do + authorize!(:read_pipeline, user_project) pipeline = user_project.pipelines.find(params[:pipeline_id]) + authorize!(:read_build, pipeline) + builds = pipeline.builds builds = filter_builds(builds, params[:scope]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb index 8770365c893..402031075e7 100644 --- a/spec/requests/api/jobs_spec.rb +++ b/spec/requests/api/jobs_spec.rb @@ -142,10 +142,20 @@ describe API::Jobs do end context 'unauthorized user' do - let(:api_user) { nil } + context 'when user is not logged in' do + let(:api_user) { nil } - it 'does not return project jobs' do - expect(response).to have_gitlab_http_status(401) + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(401) + end + end + + context 'when user is guest' do + let(:api_user) { guest } + + it 'does not return project jobs' do + expect(response).to have_gitlab_http_status(403) + end end end @@ -241,10 +251,20 @@ describe API::Jobs do end context 'unauthorized user' do - let(:api_user) { nil } + context 'when user is not logged in' do + let(:api_user) { nil } - it 'does not return jobs' do - expect(response).to have_gitlab_http_status(401) + it 'does not return jobs' do + expect(response).to have_gitlab_http_status(401) + end + end + + context 'when user is guest' do + let(:api_user) { guest } + + it 'does not return jobs' do + expect(response).to have_gitlab_http_status(403) + end end end end |