From 814d853a1af2a06bc19ecf60d78ef8fd99b3f682 Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Tue, 1 Mar 2016 13:59:19 +0100
Subject: Fix deprecated CI build status badge permissions

---
 app/controllers/ci/projects_controller.rb       |  3 ++
 spec/controllers/ci/projects_controller_spec.rb | 53 +++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 spec/controllers/ci/projects_controller_spec.rb

diff --git a/app/controllers/ci/projects_controller.rb b/app/controllers/ci/projects_controller.rb
index d1824b481d7..471cebc82f6 100644
--- a/app/controllers/ci/projects_controller.rb
+++ b/app/controllers/ci/projects_controller.rb
@@ -3,6 +3,7 @@ module Ci
     before_action :project
     before_action :authorize_read_project!, except: [:badge]
     before_action :no_cache, only: [:badge]
+    skip_before_action :authenticate_user!, only: [:badge]
     protect_from_forgery
 
     def show
@@ -18,6 +19,8 @@ module Ci
     #
     def badge
       return render_404 unless @project
+      authenticate_user! unless @project.public?
+
       image = Ci::ImageForBuildService.new.execute(@project, params)
       send_file image.path, filename: image.name, disposition: 'inline', type:"image/svg+xml"
     end
diff --git a/spec/controllers/ci/projects_controller_spec.rb b/spec/controllers/ci/projects_controller_spec.rb
new file mode 100644
index 00000000000..e048c5a51ed
--- /dev/null
+++ b/spec/controllers/ci/projects_controller_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe Ci::ProjectsController do
+  let(:visibility) { :public }
+  let!(:project) { create(:project, visibility, ci_id: 1) }
+  let(:ci_id) { project.ci_id }
+
+  ##
+  # Specs for *deprecated* CI badge
+  #
+  describe '#badge' do
+    context 'user not signed in'
+      before { get(:badge, id: ci_id) }
+
+      context 'project has no ci_id reference' do
+        let(:ci_id) { 123 }
+
+        it 'returns 404' do
+          expect(response.status).to eq 404
+        end
+      end
+
+      context 'project is public' do
+        let(:visibility) { :public }
+
+        it 'is available without authentication' do
+          expect(response.status).to eq 200
+        end
+      end
+
+      context 'project is private' do
+        let(:visibility) { :private }
+
+        it 'requires authentication' do
+          expect(response.status).to eq 302
+        end
+      end
+
+    context 'user signed in' do
+      let(:user) { create(:user) }
+      before { sign_in(user) }
+      before { get(:badge, id: ci_id) }
+
+      context 'private is internal' do
+        let(:visibility) { :internal }
+
+        it 'shows badge to signed in user' do
+          expect(response.status).to eq 200
+        end
+      end
+    end
+  end
+end
-- 
cgit v1.2.1