Commit 2f906430 authored by Shinya Maeda's avatar Shinya Maeda

Fix security breaching

parent bb22989c
...@@ -167,7 +167,7 @@ module API ...@@ -167,7 +167,7 @@ module API
.pipeline_schedules .pipeline_schedules
.preload(:owner, :last_pipeline) .preload(:owner, :last_pipeline)
.find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule| .find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule|
unless pipeline_schedule || can?(current_user, :read_pipeline_schedule, pipeline_schedule) unless can?(current_user, :read_pipeline_schedule, pipeline_schedule)
not_found!('Pipeline Schedule') not_found!('Pipeline Schedule')
end end
end end
......
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe API::PipelineSchedules do describe API::PipelineSchedules do
set(:developer) { create(:user) } set(:developer) { create(:user) }
set(:user) { create(:user) } set(:user) { create(:user) }
set(:project) { create(:project, :repository) } set(:project) { create(:project, :repository, public_builds: false) }
before do before do
project.add_developer(developer) project.add_developer(developer)
...@@ -110,6 +110,18 @@ describe API::PipelineSchedules do ...@@ -110,6 +110,18 @@ describe API::PipelineSchedules do
end end
end end
context 'authenticated user with insufficient permissions' do
before do
project.add_guest(user)
end
it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to have_http_status(:not_found)
end
end
context 'unauthenticated user' do context 'unauthenticated user' do
it 'does not return pipeline_schedules list' do it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}") get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment