fix authorization of builds and added relevant spec

author: James Lopez <james@jameslopez.es> 2016-11-15 16:25:37 +0100
committer: James Lopez <james@jameslopez.es> 2016-11-17 08:22:59 +0100
commit: 633ddc9ed98c690c082c7347422ac85f9b592fb4 (patch)
tree: 10fdc47517922266814a8286a8f8c137432022f1 /app/controllers/projects/cycle_analytics
parent: f93607a305346607f4296c266d40be1692febbec (diff)
download: gitlab-ce-633ddc9ed98c690c082c7347422ac85f9b592fb4.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/projects/cycle_analytics/events_controller.rb b/app/controllers/projects/cycle_analytics/events_controller.rb
index cc75dc247d3..cb52dfc830a 100644
--- a/app/controllers/projects/cycle_analytics/events_controller.rb
+++ b/app/controllers/projects/cycle_analytics/events_controller.rb
@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
   include CycleAnalyticsParams
 
   before_action :authorize_read_cycle_analytics!
-  before_action :authorize_read_builds!, only: [:test, :staging]
+  before_action :authorize_builds!, only: [:test, :staging]
 
   def issue
     render_events(events.issue_events)
@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
 
     params[:events].slice(:start_date, :branch_name)
   end
+
+  def authorize_builds!
+    return access_denied! unless current_user.can?(:read_build, project)
+  end
 end
author	James Lopez <james@jameslopez.es>	2016-11-15 16:25:37 +0100
committer	James Lopez <james@jameslopez.es>	2016-11-17 08:22:59 +0100
commit	633ddc9ed98c690c082c7347422ac85f9b592fb4 (patch)
tree	10fdc47517922266814a8286a8f8c137432022f1 /app/controllers/projects/cycle_analytics
parent	f93607a305346607f4296c266d40be1692febbec (diff)
download	gitlab-ce-633ddc9ed98c690c082c7347422ac85f9b592fb4.tar.gz