Authorize read_build action when listing jobs

c7ea2861 · Matija Čupić · f9fd9b1d · c7ea2861 · c7ea2861
Commit c7ea2861 authored Dec 14, 2018 by Matija Čupić
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

lib/api/jobs.rb lib/api/jobs.rb +2 -0

spec/requests/api/jobs_spec.rb spec/requests/api/jobs_spec.rb +13 -3

No files found.
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
      end
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/jobs' do
+        authorize_read_builds!
+
        builds = user_project.builds.order('id DESC')
        builds = filter_builds(builds, params[:scope])


--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
    end

    context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }

-      it 'does not return project jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
      end
    end