Commit 300d1028 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-commit-status-shown-for-guest-user' into 'master'

[master] Stop showing ci for guest users on private pipeline

See merge request gitlab/gitlabhq!2830
parents 06415414 04d773d8
...@@ -84,7 +84,7 @@ ...@@ -84,7 +84,7 @@
title: _('Issues'), data: { container: 'body', placement: 'top' } do title: _('Issues'), data: { container: 'body', placement: 'top' } do
= sprite_icon('issues', size: 14, css_class: 'append-right-4') = sprite_icon('issues', size: 14, css_class: 'append-right-4')
= number_with_delimiter(project.open_issues_count) = number_with_delimiter(project.open_issues_count)
- if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? && can?(current_user, :read_build, project)
%span.icon-wrapper.pipeline-status %span.icon-wrapper.pipeline-status
= render_project_pipeline_status(project.pipeline_status, tooltip_placement: 'top') = render_project_pipeline_status(project.pipeline_status, tooltip_placement: 'top')
.updated-note .updated-note
......
---
title: Fix showing ci status for guest users when public pipline are not set
merge_request:
author:
type: security
...@@ -147,6 +147,27 @@ describe 'Dashboard Projects' do ...@@ -147,6 +147,27 @@ describe 'Dashboard Projects' do
expect(page).to have_link('Commit: passed') expect(page).to have_link('Commit: passed')
end end
end end
context 'guest user of project and project has private pipelines' do
let(:guest_user) { create(:user) }
before do
project.update(public_builds: false)
project.add_guest(guest_user)
sign_in(guest_user)
end
it 'shows that the last pipeline passed' do
visit dashboard_projects_path
page.within('.controls') do
expect(page).not_to have_xpath("//a[@href='#{pipelines_project_commit_path(project, project.commit, ref: pipeline.ref)}']")
expect(page).not_to have_css('.ci-status-link')
expect(page).not_to have_css('.ci-status-icon-success')
expect(page).not_to have_link('Commit: passed')
end
end
end
end end
context 'last push widget', :use_clean_rails_memory_store_caching do context 'last push widget', :use_clean_rails_memory_store_caching do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment