Authorize read_build when listing pipeline jobs

a1c77f2d · Matija Čupić · c7ea2861 · a1c77f2d · a1c77f2d
Commit a1c77f2d authored Dec 14, 2018 by Matija Čupić
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

lib/api/jobs.rb lib/api/jobs.rb +2 -0

spec/requests/api/jobs_spec.rb spec/requests/api/jobs_spec.rb +13 -3

No files found.
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -59,6 +59,8 @@ module API
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/pipelines/:pipeline_id/jobs' do
        pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
+        authorize!(:read_build, pipeline)
+
        builds = pipeline.builds
        builds = filter_builds(builds, params[:scope])
        builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])

--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -251,12 +251,22 @@ describe API::Jobs do
    end

    context 'unauthorized user' do
+      context 'when user is not logged in' do
        let(:api_user) { nil }

        it 'does not return jobs' do
          expect(response).to have_gitlab_http_status(401)
        end
      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+    end
  end

  describe 'GET /projects/:id/jobs/:job_id' do