Commit a1c77f2d authored by Matija Čupić's avatar Matija Čupić

Authorize read_build when listing pipeline jobs

parent c7ea2861
...@@ -59,6 +59,8 @@ module API ...@@ -59,6 +59,8 @@ module API
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
get ':id/pipelines/:pipeline_id/jobs' do get ':id/pipelines/:pipeline_id/jobs' do
pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
authorize!(:read_build, pipeline)
builds = pipeline.builds builds = pipeline.builds
builds = filter_builds(builds, params[:scope]) builds = filter_builds(builds, params[:scope])
builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])
......
...@@ -251,10 +251,20 @@ describe API::Jobs do ...@@ -251,10 +251,20 @@ describe API::Jobs do
end end
context 'unauthorized user' do context 'unauthorized user' do
let(:api_user) { nil } context 'when user is not logged in' do
let(:api_user) { nil }
it 'does not return jobs' do it 'does not return jobs' do
expect(response).to have_gitlab_http_status(401) expect(response).to have_gitlab_http_status(401)
end
end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return jobs' do
expect(response).to have_gitlab_http_status(403)
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment