Merge branch 'security-master-guests-jobs-api' into 'master'

[master] Guest users have access to all Job information via the API See merge request gitlab/gitlabhq!2717

Merge branch 'security-master-guests-jobs-api' into 'master'
[master] Guest users have access to all Job information via the API See merge request gitlab/gitlabhq!2717
9929351b · John Jarvis · 1f7b0572 · e783ad5b · 9929351b · 9929351b
Commit 9929351b authored Jan 01, 2019 by John Jarvis
3 changed files
--- a/changelogs/unreleased/security-master-guests-jobs-api.yml
+++ b/changelogs/unreleased/security-master-guests-jobs-api.yml
+---
+title: Authorize before reading job information via API.
+merge_request:
+author:
+type: security
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
      end
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/jobs' do
+        authorize_read_builds!
+
        builds = user_project.builds.order('id DESC')
        builds = filter_builds(builds, params[:scope])

@@ -56,7 +58,10 @@ module API
      end
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/pipelines/:pipeline_id/jobs' do
+        authorize!(:read_pipeline, user_project)
        pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
+        authorize!(:read_build, pipeline)
+
        builds = pipeline.builds
        builds = filter_builds(builds, params[:scope])
        builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])

--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
    end

    context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }

-      it 'does not return project jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
      end
    end

@@ -241,10 +251,20 @@ describe API::Jobs do
    end

    context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }

-      it 'does not return jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
      end
    end
  end