Commit 2975f931 authored by John Jarvis's avatar John Jarvis

Merge branch 'security-11-5-guests-jobs-api' into 'security-11-5'

[11.5] Guest users have access to all Job information via the API

See merge request gitlab/gitlabhq!2745
parents 0287db5c 7b0c6fac
---
title: Authorize before reading job information via API.
merge_request:
author:
type: security
...@@ -38,6 +38,8 @@ module API ...@@ -38,6 +38,8 @@ module API
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
get ':id/jobs' do get ':id/jobs' do
authorize_read_builds!
builds = user_project.builds.order('id DESC') builds = user_project.builds.order('id DESC')
builds = filter_builds(builds, params[:scope]) builds = filter_builds(builds, params[:scope])
...@@ -56,7 +58,10 @@ module API ...@@ -56,7 +58,10 @@ module API
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
get ':id/pipelines/:pipeline_id/jobs' do get ':id/pipelines/:pipeline_id/jobs' do
authorize!(:read_pipeline, user_project)
pipeline = user_project.pipelines.find(params[:pipeline_id]) pipeline = user_project.pipelines.find(params[:pipeline_id])
authorize!(:read_build, pipeline)
builds = pipeline.builds builds = pipeline.builds
builds = filter_builds(builds, params[:scope]) builds = filter_builds(builds, params[:scope])
builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])
......
...@@ -142,6 +142,7 @@ describe API::Jobs do ...@@ -142,6 +142,7 @@ describe API::Jobs do
end end
context 'unauthorized user' do context 'unauthorized user' do
context 'when user is not logged in' do
let(:api_user) { nil } let(:api_user) { nil }
it 'does not return project jobs' do it 'does not return project jobs' do
...@@ -149,6 +150,15 @@ describe API::Jobs do ...@@ -149,6 +150,15 @@ describe API::Jobs do
end end
end end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return project jobs' do
expect(response).to have_gitlab_http_status(403)
end
end
end
def go def go
get api("/projects/#{project.id}/jobs", api_user), query get api("/projects/#{project.id}/jobs", api_user), query
end end
...@@ -241,12 +251,22 @@ describe API::Jobs do ...@@ -241,12 +251,22 @@ describe API::Jobs do
end end
context 'unauthorized user' do context 'unauthorized user' do
context 'when user is not logged in' do
let(:api_user) { nil } let(:api_user) { nil }
it 'does not return jobs' do it 'does not return jobs' do
expect(response).to have_gitlab_http_status(401) expect(response).to have_gitlab_http_status(401)
end end
end end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return jobs' do
expect(response).to have_gitlab_http_status(403)
end
end
end
end end
describe 'GET /projects/:id/jobs/:job_id' do describe 'GET /projects/:id/jobs/:job_id' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment