Commit 1c42f748 authored by Fabio Pitino's avatar Fabio Pitino

Don't display badges when builds are restricted

Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.

Added guard clause to the controller to check if user can read
build.
parent 0cd59a75
......@@ -3,7 +3,8 @@
class Projects::BadgesController < Projects::ApplicationController
layout 'project_settings'
before_action :authorize_admin_project!, only: [:index]
before_action :no_cache_headers, except: [:index]
before_action :no_cache_headers, only: [:pipeline, :coverage]
before_action :authorize_read_build!, only: [:pipeline, :coverage]
def pipeline
pipeline_status = Gitlab::Badge::Pipeline::Status
......
---
title: Show badges if pipelines are public otherwise default to project permissions.
erge_request:
author:
type: security
......@@ -7,32 +7,54 @@ describe Projects::BadgesController do
let!(:pipeline) { create(:ci_empty_pipeline) }
let(:user) { create(:user) }
shared_examples 'a badge resource' do |badge_type|
context 'when pipelines are public' do
before do
project.add_maintainer(user)
sign_in(user)
project.update!(public_builds: true)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'requests the pipeline badge successfully' do
get_badge(:pipeline)
it "returns the #{badge_type} badge to unauthenticated users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
it 'requests the coverage badge successfully' do
get_badge(:coverage)
context 'when project is restricted' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it "returns the #{badge_type} badge to guest users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
context 'format' do
before do
project.add_maintainer(user)
sign_in(user)
end
it 'renders the `flat` badge layout by default' do
get_badge(:coverage)
get_badge(badge_type)
expect(response).to render_template('projects/badges/badge')
end
context 'when style param is set to `flat`' do
it 'renders the `flat` badge layout' do
get_badge(:coverage, 'flat')
get_badge(badge_type, 'flat')
expect(response).to render_template('projects/badges/badge')
end
......@@ -40,7 +62,7 @@ describe Projects::BadgesController do
context 'when style param is set to an invalid type' do
it 'renders the `flat` (default) badge layout' do
get_badge(:coverage, 'xxx')
get_badge(badge_type, 'xxx')
expect(response).to render_template('projects/badges/badge')
end
......@@ -48,11 +70,53 @@ describe Projects::BadgesController do
context 'when style param is set to `flat-square`' do
it 'renders the `flat-square` badge layout' do
get_badge(:coverage, 'flat-square')
get_badge(badge_type, 'flat-square')
expect(response).to render_template('projects/badges/badge_flat-square')
end
end
end
context 'when pipelines are not public' do
before do
project.update!(public_builds: false)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns 404 to unauthenticated users' do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when project is restricted to the user' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it 'defaults to project permissions' do
get_badge(:coverage)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
describe '#pipeline' do
it_behaves_like 'a badge resource', :pipeline
end
describe '#coverage' do
it_behaves_like 'a badge resource', :coverage
end
def get_badge(badge, style = nil)
params = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment