Commit ff3776c8 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Should check against `authorize_read_builds!`

parent 88aacaa7
...@@ -83,6 +83,8 @@ module API ...@@ -83,6 +83,8 @@ module API
# GET /projects/:id/artifacts/:ref_name/download?job=name # GET /projects/:id/artifacts/:ref_name/download?job=name
get ':id/builds/artifacts/:ref_name/download', get ':id/builds/artifacts/:ref_name/download',
requirements: { ref_name: /.+/ } do requirements: { ref_name: /.+/ } do
authorize_read_builds!
builds = user_project.latest_successful_builds_for(params[:ref_name]) builds = user_project.latest_successful_builds_for(params[:ref_name])
latest_build = builds.find_by!(name: params[:job]) latest_build = builds.find_by!(name: params[:job])
......
...@@ -6,9 +6,11 @@ describe API::API, api: true do ...@@ -6,9 +6,11 @@ describe API::API, api: true do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:api_user) { user } let(:api_user) { user }
let(:user2) { create(:user) } let(:user2) { create(:user) }
let(:guest_user) { create(:user) }
let!(:project) { create(:project, creator_id: user.id) } let!(:project) { create(:project, creator_id: user.id) }
let!(:developer) { create(:project_member, :developer, user: user, project: project) } let!(:developer) { create(:project_member, :developer, user: user, project: project) }
let!(:reporter) { create(:project_member, :reporter, user: user2, project: project) } let!(:reporter) { create(:project_member, :reporter, user: user2, project: project) }
let!(:guest) { create(:project_member, :guest, user: guest_user, project: project) }
let!(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit.id, ref: project.default_branch) } let!(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit.id, ref: project.default_branch) }
let!(:build) { create(:ci_build, pipeline: pipeline) } let!(:build) { create(:ci_build, pipeline: pipeline) }
...@@ -192,6 +194,18 @@ describe API::API, api: true do ...@@ -192,6 +194,18 @@ describe API::API, api: true do
end end
end end
context 'when forbidden' do
let(:api_user) { guest_user }
before do
get path_for_ref
end
it 'gives 403' do
expect(response).to have_http_status(403)
end
end
context 'non-existing build' do context 'non-existing build' do
shared_examples 'not found' do shared_examples 'not found' do
it { expect(response).to have_http_status(:not_found) } it { expect(response).to have_http_status(:not_found) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment