Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
2f906430
Commit
2f906430
authored
Sep 04, 2017
by
Shinya Maeda
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix security breaching
parent
bb22989c
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
14 additions
and
2 deletions
+14
-2
lib/api/pipeline_schedules.rb
lib/api/pipeline_schedules.rb
+1
-1
spec/requests/api/pipeline_schedules_spec.rb
spec/requests/api/pipeline_schedules_spec.rb
+13
-1
No files found.
lib/api/pipeline_schedules.rb
View file @
2f906430
...
@@ -167,7 +167,7 @@ module API
...
@@ -167,7 +167,7 @@ module API
.
pipeline_schedules
.
pipeline_schedules
.
preload
(
:owner
,
:last_pipeline
)
.
preload
(
:owner
,
:last_pipeline
)
.
find_by
(
id:
params
.
delete
(
:pipeline_schedule_id
)).
tap
do
|
pipeline_schedule
|
.
find_by
(
id:
params
.
delete
(
:pipeline_schedule_id
)).
tap
do
|
pipeline_schedule
|
unless
pipeline_schedule
||
can?
(
current_user
,
:read_pipeline_schedule
,
pipeline_schedule
)
unless
can?
(
current_user
,
:read_pipeline_schedule
,
pipeline_schedule
)
not_found!
(
'Pipeline Schedule'
)
not_found!
(
'Pipeline Schedule'
)
end
end
end
end
...
...
spec/requests/api/pipeline_schedules_spec.rb
View file @
2f906430
...
@@ -3,7 +3,7 @@ require 'spec_helper'
...
@@ -3,7 +3,7 @@ require 'spec_helper'
describe
API
::
PipelineSchedules
do
describe
API
::
PipelineSchedules
do
set
(
:developer
)
{
create
(
:user
)
}
set
(
:developer
)
{
create
(
:user
)
}
set
(
:user
)
{
create
(
:user
)
}
set
(
:user
)
{
create
(
:user
)
}
set
(
:project
)
{
create
(
:project
,
:repository
)
}
set
(
:project
)
{
create
(
:project
,
:repository
,
public_builds:
false
)
}
before
do
before
do
project
.
add_developer
(
developer
)
project
.
add_developer
(
developer
)
...
@@ -110,6 +110,18 @@ describe API::PipelineSchedules do
...
@@ -110,6 +110,18 @@ describe API::PipelineSchedules do
end
end
end
end
context
'authenticated user with insufficient permissions'
do
before
do
project
.
add_guest
(
user
)
end
it
'does not return pipeline_schedules list'
do
get
api
(
"/projects/
#{
project
.
id
}
/pipeline_schedules/
#{
pipeline_schedule
.
id
}
"
,
user
)
expect
(
response
).
to
have_http_status
(
:not_found
)
end
end
context
'unauthenticated user'
do
context
'unauthenticated user'
do
it
'does not return pipeline_schedules list'
do
it
'does not return pipeline_schedules list'
do
get
api
(
"/projects/
#{
project
.
id
}
/pipeline_schedules/
#{
pipeline_schedule
.
id
}
"
)
get
api
(
"/projects/
#{
project
.
id
}
/pipeline_schedules/
#{
pipeline_schedule
.
id
}
"
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment