6 files changed, 37 insertions, 19 deletions

diff --git a/lib/api/builds.rb b/lib/api/builds.rb
index d293f988165..a8bd3842ce4 100644
--- a/lib/api/builds.rb
+++ b/lib/api/builds.rb
@@ -13,11 +13,12 @@ module API
       # Example Request:
       #   GET /projects/:id/builds
       get ':id/builds' do
+
         builds = user_project.builds.order('id DESC')
         builds = filter_builds(builds, params[:scope])
 
         present paginate(builds), with: Entities::Build,
-                                  user_can_download_artifacts: can?(current_user, :download_build_artifacts, user_project)
+                                  user_can_download_artifacts: can?(current_user, :read_build, user_project)
       end
 
       # Get builds for a specific commit of a project
@@ -30,6 +31,8 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/commits/:sha/builds
       get ':id/repository/commits/:sha/builds' do
+        authorize_read_builds!
+
         commit = user_project.ci_commits.find_by_sha(params[:sha])
         return not_found! unless commit
 
@@ -37,7 +40,7 @@ module API
         builds = filter_builds(builds, params[:scope])
 
         present paginate(builds), with: Entities::Build,
-                                  user_can_download_artifacts: can?(current_user, :download_build_artifacts, user_project)
+                                  user_can_download_artifacts: can?(current_user, :read_build, user_project)
       end
 
       # Get a specific build of a project
@@ -48,11 +51,13 @@ module API
       # Example Request:
       #   GET /projects/:id/builds/:build_id
       get ':id/builds/:build_id' do
+        authorize_read_builds!
+
         build = get_build(params[:build_id])
         return not_found!(build) unless build
 
         present build, with: Entities::Build,
-                       user_can_download_artifacts: can?(current_user, :download_build_artifacts, user_project)
+                       user_can_download_artifacts: can?(current_user, :read_build, user_project)
       end
 
       # Get a trace of a specific build of a project
@@ -67,6 +72,8 @@ module API
       #       is saved in the DB instead of file). But before that, we need to consider how to replace the value of
       #       `runners_token` with some mask (like `xxxxxx`) when sending trace file directly by workhorse.
       get ':id/builds/:build_id/trace' do
+        authorize_read_builds!
+
         build = get_build(params[:build_id])
         return not_found!(build) unless build
 
@@ -86,7 +93,7 @@ module API
       # example request:
       #   post /projects/:id/build/:build_id/cancel
       post ':id/builds/:build_id/cancel' do
-        authorize_manage_builds!
+        authorize_update_builds!
 
         build = get_build(params[:build_id])
         return not_found!(build) unless build
@@ -94,7 +101,7 @@ module API
         build.cancel
 
         present build, with: Entities::Build,
-                       user_can_download_artifacts: can?(current_user, :download_build_artifacts, user_project)
+                       user_can_download_artifacts: can?(current_user, :read_build, user_project)
       end
 
       # Retry a specific build of a project
@@ -105,7 +112,7 @@ module API
       # example request:
       #   post /projects/:id/build/:build_id/retry
       post ':id/builds/:build_id/retry' do
-        authorize_manage_builds!
+        authorize_update_builds!
 
         build = get_build(params[:build_id])
         return forbidden!('Build is not retryable') unless build && build.retryable?
@@ -113,7 +120,7 @@ module API
         build = Ci::Build.retry(build)
 
         present build, with: Entities::Build,
-                       user_can_download_artifacts: can?(current_user, :download_build_artifacts, user_project)
+                       user_can_download_artifacts: can?(current_user, :read_build, user_project)
       end
     end
 
@@ -141,8 +148,12 @@ module API
         builds.where(status: available_statuses && scope)
       end
 
-      def authorize_manage_builds!
-        authorize! :manage_builds, user_project
+      def authorize_read_builds!
+        authorize! :read_build, user_project
+      end
+
+      def authorize_update_builds!
+        authorize! :update_build, user_project
       end
     end
   end
diff --git a/lib/api/commit_statuses.rb b/lib/api/commit_statuses.rb
index 1162271f5fc..9422d438d21 100644
--- a/lib/api/commit_statuses.rb
+++ b/lib/api/commit_statuses.rb
@@ -18,7 +18,7 @@ module API
       # Examples:
       #   GET /projects/:id/repository/commits/:sha/statuses
       get ':id/repository/commits/:sha/statuses' do
-        authorize! :read_commit_statuses, user_project
+        authorize! :read_commit_status, user_project
         sha = params[:sha]
         ci_commit = user_project.ci_commit(sha)
         not_found! 'Commit' unless ci_commit
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 82a75734de0..1aa6570bd06 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -72,6 +72,7 @@ module API
       expose :star_count, :forks_count
       expose :open_issues_count, if: lambda { |project, options| project.issues_enabled? && project.default_issues_tracker? }
       expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] }
+      expose :public_builds
     end
 
     class ProjectMember < UserBasic
@@ -383,7 +384,7 @@ module API
       #       for downloading of artifacts (see: https://gitlab.com/gitlab-org/gitlab-ce/issues/4255)
       expose :download_url do |repo_obj, options|
         if options[:user_can_download_artifacts]
-          repo_obj.download_url
+          repo_obj.artifacts_download_url
         end
       end
       expose :commit, with: RepoCommit do |repo_obj, _options|
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 1f991e600e3..6067c8b4a5e 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -99,6 +99,7 @@ module API
       #   public (optional) - if true same as setting visibility_level = 20
       #   visibility_level (optional) - 0 by default
       #   import_url (optional)
+      #   public_builds (optional)
       # Example Request
       #   POST /projects
       post do
@@ -115,7 +116,8 @@ module API
                                      :namespace_id,
                                      :public,
                                      :visibility_level,
-                                     :import_url]
+                                     :import_url,
+                                     :public_builds]
         attrs = map_public_to_visibility_level(attrs)
         @project = ::Projects::CreateService.new(current_user, attrs).execute
         if @project.saved?
@@ -145,6 +147,7 @@ module API
       #   public (optional) - if true same as setting visibility_level = 20
       #   visibility_level (optional)
       #   import_url (optional)
+      #   public_builds (optional)
       # Example Request
       #   POST /projects/user/:user_id
       post "user/:user_id" do
@@ -161,7 +164,8 @@ module API
                                      :shared_runners_enabled,
                                      :public,
                                      :visibility_level,
-                                     :import_url]
+                                     :import_url,
+                                     :public_builds]
         attrs = map_public_to_visibility_level(attrs)
         @project = ::Projects::CreateService.new(user, attrs).execute
         if @project.saved?
@@ -205,6 +209,7 @@ module API
       #   shared_runners_enabled (optional)
       #   public (optional) - if true same as setting visibility_level = 20
       #   visibility_level (optional) - visibility level of a project
+      #   public_builds (optional)
       # Example Request
       #   PUT /projects/:id
       put ':id' do
@@ -219,7 +224,8 @@ module API
                                      :snippets_enabled,
                                      :shared_runners_enabled,
                                      :public,
-                                     :visibility_level]
+                                     :visibility_level,
+                                     :public_builds]
         attrs = map_public_to_visibility_level(attrs)
         authorize_admin_project
         authorize! :rename_project, user_project if attrs[:name].present?
diff --git a/lib/api/triggers.rb b/lib/api/triggers.rb
index 5e4964f446c..d1d07394e92 100644
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -54,7 +54,7 @@ module API
       #   GET /projects/:id/triggers
       get ':id/triggers' do
         authenticate!
-        authorize_admin_project
+        authorize! :admin_build, user_project
 
         triggers = user_project.triggers.includes(:trigger_requests)
         triggers = paginate(triggers)
@@ -71,7 +71,7 @@ module API
       #   GET /projects/:id/triggers/:token
       get ':id/triggers/:token' do
         authenticate!
-        authorize_admin_project
+        authorize! :admin_build, user_project
 
         trigger = user_project.triggers.find_by(token: params[:token].to_s)
         return not_found!('Trigger') unless trigger
@@ -87,7 +87,7 @@ module API
       #   POST /projects/:id/triggers
       post ':id/triggers' do
         authenticate!
-        authorize_admin_project
+        authorize! :admin_build, user_project
 
         trigger = user_project.triggers.create
 
@@ -103,7 +103,7 @@ module API
       #   DELETE /projects/:id/triggers/:token
       delete ':id/triggers/:token' do
         authenticate!
-        authorize_admin_project
+        authorize! :admin_build, user_project
 
         trigger = user_project.triggers.find_by(token: params[:token].to_s)
         return not_found!('Trigger') unless trigger
diff --git a/lib/api/variables.rb b/lib/api/variables.rb
index d9a055f6c92..f6495071a11 100644
--- a/lib/api/variables.rb
+++ b/lib/api/variables.rb
@@ -2,7 +2,7 @@ module API
   # Projects variables API
   class Variables < Grape::API
     before { authenticate! }
-    before { authorize_admin_project }
+    before { authorize! :admin_build, user_project }
 
     resource :projects do
       # Get project variables