Commit 1c42f748 authored by Fabio Pitino's avatar Fabio Pitino

Don't display badges when builds are restricted

Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.

Added guard clause to the controller to check if user can read
build.
parent 0cd59a75
...@@ -3,7 +3,8 @@ ...@@ -3,7 +3,8 @@
class Projects::BadgesController < Projects::ApplicationController class Projects::BadgesController < Projects::ApplicationController
layout 'project_settings' layout 'project_settings'
before_action :authorize_admin_project!, only: [:index] before_action :authorize_admin_project!, only: [:index]
before_action :no_cache_headers, except: [:index] before_action :no_cache_headers, only: [:pipeline, :coverage]
before_action :authorize_read_build!, only: [:pipeline, :coverage]
def pipeline def pipeline
pipeline_status = Gitlab::Badge::Pipeline::Status pipeline_status = Gitlab::Badge::Pipeline::Status
......
---
title: Show badges if pipelines are public otherwise default to project permissions.
erge_request:
author:
type: security
...@@ -7,51 +7,115 @@ describe Projects::BadgesController do ...@@ -7,51 +7,115 @@ describe Projects::BadgesController do
let!(:pipeline) { create(:ci_empty_pipeline) } let!(:pipeline) { create(:ci_empty_pipeline) }
let(:user) { create(:user) } let(:user) { create(:user) }
before do shared_examples 'a badge resource' do |badge_type|
project.add_maintainer(user) context 'when pipelines are public' do
sign_in(user) before do
end project.update!(public_builds: true)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it "returns the #{badge_type} badge to unauthenticated users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
context 'when project is restricted' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it "returns the #{badge_type} badge to guest users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
it 'requests the pipeline badge successfully' do context 'format' do
get_badge(:pipeline) before do
project.add_maintainer(user)
sign_in(user)
end
expect(response).to have_gitlab_http_status(:ok) it 'renders the `flat` badge layout by default' do
end get_badge(badge_type)
it 'requests the coverage badge successfully' do expect(response).to render_template('projects/badges/badge')
get_badge(:coverage) end
expect(response).to have_gitlab_http_status(:ok) context 'when style param is set to `flat`' do
end it 'renders the `flat` badge layout' do
get_badge(badge_type, 'flat')
it 'renders the `flat` badge layout by default' do expect(response).to render_template('projects/badges/badge')
get_badge(:coverage) end
end
expect(response).to render_template('projects/badges/badge') context 'when style param is set to an invalid type' do
end it 'renders the `flat` (default) badge layout' do
get_badge(badge_type, 'xxx')
expect(response).to render_template('projects/badges/badge')
end
end
context 'when style param is set to `flat`' do context 'when style param is set to `flat-square`' do
it 'renders the `flat` badge layout' do it 'renders the `flat-square` badge layout' do
get_badge(:coverage, 'flat') get_badge(badge_type, 'flat-square')
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge_flat-square')
end
end
end end
end
context 'when style param is set to an invalid type' do context 'when pipelines are not public' do
it 'renders the `flat` (default) badge layout' do before do
get_badge(:coverage, 'xxx') project.update!(public_builds: false)
end
expect(response).to render_template('projects/badges/badge') context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns 404 to unauthenticated users' do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when project is restricted to the user' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it 'defaults to project permissions' do
get_badge(:coverage)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
end end
context 'when style param is set to `flat-square`' do describe '#pipeline' do
it 'renders the `flat-square` badge layout' do it_behaves_like 'a badge resource', :pipeline
get_badge(:coverage, 'flat-square') end
expect(response).to render_template('projects/badges/badge_flat-square') describe '#coverage' do
end it_behaves_like 'a badge resource', :coverage
end end
def get_badge(badge, style = nil) def get_badge(badge, style = nil)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment