From f21b15d5f5af150ef39f338a4d4afb495402311a Mon Sep 17 00:00:00 2001
From: Tomasz Maczukin <tomasz@maczukin.pl>
Date: Thu, 4 Feb 2016 14:53:53 +0100
Subject: Limit projects to user available projects if user is not an admin

---
 lib/api/entities.rb | 8 +++++++-
 lib/api/runners.rb  | 6 +++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index af030159580..a8c00542d35 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -388,7 +388,13 @@ module API
       expose :version, :revision, :platform, :architecture
       expose :contacted_at, as: :last_contact
       expose :token, if: lambda { |runner, options| options[:user_is_admin] || !runner.is_shared? }
-      expose :projects, with: Entities::RunnerProjectDetails
+      expose :projects, with: Entities::RunnerProjectDetails do |runner, options|
+        if options[:user_is_admin]
+          runner.projects
+        else
+          runner.projects.where(id: options[:available_projects_ids])
+        end
+      end
     end
 
     class Build < Grape::Entity
diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index c08d6729dd8..4a0e68a4ddb 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -33,7 +33,11 @@ module API
         runner = get_runner(params[:id])
         authenticate_show_runner!(runner)
 
-        present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?
+        available_projects_ids = runner.projects.select{ |p| can?(current_user, :read_project, p) }
+                                       .map(&:id) unless current_user.is_admin?
+
+        present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?,
+                        available_projects_ids: available_projects_ids
       end
 
       # Update runner's details
-- 
cgit v1.2.1