Skip to content

G
gitlab-ce
Commit 2f906430 authored by Shinya Maeda's avatar Shinya Maeda
Browse files
Options

Fix security breaching

parent bb22989c
Show whitespace changes
Inline Side-by-side
Showing with 14 additions and 2 deletions
lib/api/pipeline_schedules.rb
View file @ 2f906430
......@@ -167,7 +167,7 @@ module API
.pipeline_schedules
.preload(:owner, :last_pipeline)
.find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule|
unless pipeline_schedule || can?(current_user, :read_pipeline_schedule, pipeline_schedule)
unless can?(current_user, :read_pipeline_schedule, pipeline_schedule)
not_found!('Pipeline Schedule')
end
end
......
spec/requests/api/pipeline_schedules_spec.rb
View file @ 2f906430
......@@ -3,7 +3,7 @@ require 'spec_helper'
describe API::PipelineSchedules do
set(:developer) { create(:user) }
set(:user) { create(:user) }
set(:project) { create(:project, :repository) }
set(:project) { create(:project, :repository, public_builds: false) }
before do
project.add_developer(developer)
......@@ -110,6 +110,18 @@ describe API::PipelineSchedules do
end
end
context 'authenticated user with insufficient permissions' do
before do
project.add_guest(user)
end
it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to have_http_status(:not_found)
end
end
context 'unauthenticated user' do
it 'does not return pipeline_schedules list' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7