Commit 617f43c7 authored by Z.J. van de Weg's avatar Z.J. van de Weg Committed by Z.J. van de Weg

Guests can read builds if those are public

Fixes #18448
parent bd674591
module Ci
class BuildPolicy < CommitStatusPolicy
def rules
can! :read_build if @subject.project.public_builds?
super
# If we can't read build we should also not have that
......
......@@ -46,6 +46,11 @@ class ProjectPolicy < BasePolicy
can! :create_note
can! :upload_file
can! :read_cycle_analytics
if project.public_builds?
can! :read_pipeline
can! :read_build
end
end
def reporter_access!
......
---
title: Guests can read builds when public
merge_request: 6842
author:
require 'spec_helper'
describe "Guest navigation menu" do
let(:project) { create :empty_project, :private }
let(:guest) { create :user }
let(:project) { create(:empty_project, :private, public_builds: false) }
let(:guest) { create(:user) }
before do
project.team << [guest, :guest]
......
......@@ -260,6 +260,19 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
it { is_expected.to be_allowed_for guest }
end
context 'when public buils are disabled' do
before do
project.public_builds = false
project.save
end
it { is_expected.to be_denied_for guest }
end
end
describe "GET /:project_path/pipelines/:id" do
......@@ -275,6 +288,19 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
it { is_expected.to be_allowed_for guest }
end
context 'when public buils are disabled' do
before do
project.public_builds = false
project.save
end
it { is_expected.to be_denied_for guest }
end
end
describe "GET /:project_path/builds" do
......@@ -289,6 +315,19 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
it { is_expected.to be_allowed_for guest }
end
context 'when public buils are disabled' do
before do
project.public_builds = false
project.save
end
it { is_expected.to be_denied_for guest }
end
end
describe "GET /:project_path/builds/:id" do
......@@ -305,6 +344,19 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
it { is_expected.to be_allowed_for guest }
end
context 'when public buils are disabled' do
before do
project.public_builds = false
project.save
end
it { is_expected.to be_denied_for guest }
end
end
describe "GET /:project_path/environments" do
......
......@@ -111,13 +111,35 @@ describe ProjectPolicy, models: true do
context 'guests' do
let(:current_user) { guest }
it do
is_expected.to include(*guest_permissions)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*team_member_reporter_permissions)
is_expected.not_to include(*developer_permissions)
is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions)
context 'public builds enabled' do
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do
is_expected.to include(*guest_permissions)
is_expected.not_to include(*reporter_public_build_permissions)
is_expected.not_to include(*team_member_reporter_permissions)
is_expected.not_to include(*developer_permissions)
is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions)
end
end
context 'public builds disabled' do
before do
project.public_builds = false
project.save
end
it do
is_expected.to include(*guest_permissions)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*team_member_reporter_permissions)
is_expected.not_to include(*developer_permissions)
is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions)
end
end
end
......
......@@ -5,7 +5,7 @@ describe API::Builds, api: true do
let(:user) { create(:user) }
let(:api_user) { user }
let!(:project) { create(:project, creator_id: user.id) }
let!(:project) { create(:project, creator_id: user.id, public_builds: false) }
let!(:developer) { create(:project_member, :developer, user: user, project: project) }
let(:reporter) { create(:project_member, :reporter, project: project) }
let(:guest) { create(:project_member, :guest, project: project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment