From d4c7214799586a9b5063b0ea5b4327bbffe1170f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Trzci=C5=84ski?= <kamil@gitlab.com>
Date: Mon, 28 Jan 2019 12:12:30 +0000
Subject: [master] Pipelines section is available to unauthorized users

---
 app/serializers/merge_request_widget_entity.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/serializers/merge_request_widget_entity.rb')

diff --git a/app/serializers/merge_request_widget_entity.rb b/app/serializers/merge_request_widget_entity.rb
index 9361c9f987b..f42abf06e1e 100644
--- a/app/serializers/merge_request_widget_entity.rb
+++ b/app/serializers/merge_request_widget_entity.rb
@@ -57,7 +57,7 @@ class MergeRequestWidgetEntity < IssuableEntity
   end
 
   expose :merge_commit_message
-  expose :actual_head_pipeline, with: PipelineDetailsEntity, as: :pipeline
+  expose :actual_head_pipeline, with: PipelineDetailsEntity, as: :pipeline, if: -> (mr, _) { presenter(mr).can_read_pipeline? }
   expose :merge_pipeline, with: PipelineDetailsEntity, if: ->(mr, _) { mr.merged? && can?(request.current_user, :read_pipeline, mr.target_project)}
 
   # Booleans
-- 
cgit v1.2.1