Merge branch 'fix/deprecated-ci-badge-permissions' into 'master'

Fix permissions for deprecated CI build status badge This fixes permissions for deprecated status badge, being unavailable even if project is public. Closes #13324 See merge request !3030

Merge branch 'fix/deprecated-ci-badge-permissions' into 'master'
Fix permissions for deprecated CI build status badge This fixes permissions for deprecated status badge, being unavailable even if project is public. Closes #13324 See merge request !3030
4d857c08 · Douwe Maan · Rémy Coutable · 26959be0 · 4d857c08 · 4d857c08
Commit 4d857c08 authored Mar 02, 2016 by Douwe Maan Committed by Rémy Coutable Mar 02, 2016
3 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,7 @@ v 8.5.2
  - Don't show any "2FA required" message if it's not actually required
  - Fix help keyboard shortcut on relative URL setups (Artem Sidorenko)
  - Update Rails to 4.2.5.2
+  - Fix permissions for deprecated CI build status badge
 v 8.5.1
  - Fix group projects styles

--- a/app/controllers/ci/projects_controller.rb
+++ b/app/controllers/ci/projects_controller.rb
@@ -3,6 +3,7 @@ module Ci
    before_action :project
    before_action :authorize_read_project!, except: [:badge]
    before_action :no_cache, only: [:badge]
+    skip_before_action :authenticate_user!, only: [:badge]
    protect_from_forgery
    def show
@@ -18,6 +19,7 @@ module Ci
    #
    def badge
      return render_404 unless @project
      image = Ci::ImageForBuildService.new.execute(@project, params)
      send_file image.path, filename: image.name, disposition: 'inline', type:"image/svg+xml"
    end

--- a/spec/controllers/ci/projects_controller_spec.rb
+++ b/spec/controllers/ci/projects_controller_spec.rb
+require 'spec_helper'
+describe Ci::ProjectsController do
+  let(:visibility) { :public }
+  let!(:project) { create(:project, visibility, ci_id: 1) }
+  let(:ci_id) { project.ci_id }
+  ##
+  # Specs for *deprecated* CI badge
+  #
+  describe '#badge' do
+    shared_examples 'badge provider' do
+      it 'shows badge' do
+        expect(response.status).to eq 200
+        expect(response.headers)
+          .to include('Content-Type' => 'image/svg+xml')
+      end
+    end
+    context 'user not signed in' do
+      before { get(:badge, id: ci_id) }
+      context 'project has no ci_id reference' do
+        let(:ci_id) { 123 }
+        it 'returns 404' do
+          expect(response.status).to eq 404
+        end
+      end
+      context 'project is public' do
+        let(:visibility) { :public }
+        it_behaves_like 'badge provider'
+      end
+      context 'project is private' do
+        let(:visibility) { :private }
+        it_behaves_like 'badge provider'
+      end
+    end
+    context 'user signed in' do
+      let(:user) { create(:user) }
+      before { sign_in(user) }
+      before { get(:badge, id: ci_id) }
+      context 'private is internal' do
+        let(:visibility) { :internal }
+        it_behaves_like 'badge provider'
+      end
+    end
+  end
+end