Add check for user being a member of group

lib/api/api_guard.rb

@@ -8,7 +8,8 @@ module API
 
     PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN".freeze
     PRIVATE_TOKEN_PARAM = :private_token
-    CI_JOB_TOKEN_PARAM = :ci_job_token
+    CI_JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
+    CI_JOB_TOKEN_PARAM = :job_token
 
     included do |base|
       # OAuth2 Resource Server Authentication
@@ -91,11 +92,10 @@ module API
       def find_user_by_ci_token
         return nil unless route_authentication_setting[:job_token_allowed]
 
-        job_token = params[CI_JOB_TOKEN_PARAM].to_s
-
-        return nil unless job_token.present?
+        token_string = (params[CI_JOB_TOKEN_PARAM] || env[CI_JOB_TOKEN_HEADER]).to_s
+        return nil unless token_string.present?
 
-        Ci::Build.find_by_token(job_token)&.user
+        Ci::Build.find_by_token(token_string)&.user
       end
 
       def current_user

lib/api/helpers.rb

@@ -58,7 +58,9 @@ module API
     def find_project!(id)
       project = find_project(id)
 
-      if can?(current_user, :read_project, project)
+      if ci_job_token && !current_user.authorized_projects.exists?(project)
+        not_found!('Project')
+      elsif can?(current_user, :read_project, project)
         project
       else
         not_found!('Project')
@@ -84,7 +86,9 @@ module API
     def find_group!(id)
       group = find_group(id)
 
-      if can?(current_user, :read_group, group)
+      if ci_job_token
+        not_found!('Group')
+      elsif can?(current_user, :read_group, group)
         group
       else
         not_found!('Group')
@@ -350,6 +354,10 @@ module API
       params[APIGuard::PRIVATE_TOKEN_PARAM] || env[APIGuard::PRIVATE_TOKEN_HEADER]
     end
 
+    def ci_job_token
+      params[APIGuard::CI_JOB_TOKEN_PARAM] || env[APIGuard::CI_JOB_TOKEN_HEADER]
+    end
+
     def warden
       env['warden']
     end