diff options
| author | Fabio Pitino <fpitino@gitlab.com> | 2019-06-21 17:56:03 +0100 |
|---|---|---|
| committer | Fabio Pitino <fpitino@gitlab.com> | 2019-07-11 10:26:53 +0200 |
| commit | 1c42f748f8cac88692d3dca5470f74331e48b8d1 (patch) | |
| tree | 4f77a7b5c9e088298112d6bf744c9d5bfcb93c12 /app | |
| parent | 0cd59a756cdee7aac8915f3e96ba4f065e5cbc9c (diff) | |
| download | gitlab-ce-1c42f748f8cac88692d3dca5470f74331e48b8d1.tar.gz | |
Don't display badges when builds are restricted
Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.
Added guard clause to the controller to check if user can read
build.
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/badges_controller.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/controllers/projects/badges_controller.rb b/app/controllers/projects/badges_controller.rb index 09a384e89ab..66b51b17790 100644 --- a/app/controllers/projects/badges_controller.rb +++ b/app/controllers/projects/badges_controller.rb @@ -3,7 +3,8 @@ class Projects::BadgesController < Projects::ApplicationController layout 'project_settings' before_action :authorize_admin_project!, only: [:index] - before_action :no_cache_headers, except: [:index] + before_action :no_cache_headers, only: [:pipeline, :coverage] + before_action :authorize_read_build!, only: [:pipeline, :coverage] def pipeline pipeline_status = Gitlab::Badge::Pipeline::Status |