Limit projects to user available projects if user is not an admin

lib/api/entities.rb

@@ -388,7 +388,13 @@ module API
       expose :version, :revision, :platform, :architecture
       expose :contacted_at, as: :last_contact
       expose :token, if: lambda { |runner, options| options[:user_is_admin] || !runner.is_shared? }
-      expose :projects, with: Entities::RunnerProjectDetails
+      expose :projects, with: Entities::RunnerProjectDetails do |runner, options|
+        if options[:user_is_admin]
+          runner.projects
+        else
+          runner.projects.where(id: options[:available_projects_ids])
+        end
+      end
     end
 
     class Build < Grape::Entity

lib/api/runners.rb

@@ -33,7 +33,11 @@ module API
         runner = get_runner(params[:id])
         authenticate_show_runner!(runner)
 
-        present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?
+        available_projects_ids = runner.projects.select{ |p| can?(current_user, :read_project, p) }
+                                       .map(&:id) unless current_user.is_admin?
+
+        present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?,
+                        available_projects_ids: available_projects_ids
       end
 
       # Update runner's details