Merge branch 'security-fix-badges-leaked-to-unauthorized-users-11-11' into '11-11-stable'

Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3186
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-07-24 17:46:38 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-07-24 17:46:38 +0000
commit: ae2d851b97f35a4479f62a47b212d52dd5ca0b67 (patch)
tree: 02f56ce16df9aaeb0fd6291c2d81ca1e8f4e0f90 /app/controllers
parent: 57d0cc872b3ecfc93d429d8829f8376187294b77 (diff)
parent: d1fdbf8c40bde174ae9081118edd92b515bce232 (diff)
download: gitlab-ce-ae2d851b97f35a4479f62a47b212d52dd5ca0b67.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/app/controllers/projects/badges_controller.rb b/app/controllers/projects/badges_controller.rb
index 09a384e89ab..66b51b17790 100644
--- a/app/controllers/projects/badges_controller.rb
+++ b/app/controllers/projects/badges_controller.rb
@@ -3,7 +3,8 @@
 class Projects::BadgesController < Projects::ApplicationController
   layout 'project_settings'
   before_action :authorize_admin_project!, only: [:index]
-  before_action :no_cache_headers, except: [:index]
+  before_action :no_cache_headers, only: [:pipeline, :coverage]
+  before_action :authorize_read_build!, only: [:pipeline, :coverage]
 
   def pipeline
     pipeline_status = Gitlab::Badge::Pipeline::Status
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-07-24 17:46:38 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-07-24 17:46:38 +0000
commit	ae2d851b97f35a4479f62a47b212d52dd5ca0b67 (patch)
tree	02f56ce16df9aaeb0fd6291c2d81ca1e8f4e0f90 /app/controllers
parent	57d0cc872b3ecfc93d429d8829f8376187294b77 (diff)
parent	d1fdbf8c40bde174ae9081118edd92b515bce232 (diff)
download	gitlab-ce-ae2d851b97f35a4479f62a47b212d52dd5ca0b67.tar.gz