Commit ef2b5081 authored by Furkan Ayhan's avatar Furkan Ayhan

Add permission check for pipeline status of MR

widget.json endpoint of MRs exposes ci_status to unauthorized users.
This commit will add permission control of pipeline read access.
parent bc23c3cc
...@@ -53,7 +53,7 @@ class MergeRequestPollWidgetEntity < Grape::Entity ...@@ -53,7 +53,7 @@ class MergeRequestPollWidgetEntity < Grape::Entity
# CI related # CI related
expose :has_ci?, as: :has_ci expose :has_ci?, as: :has_ci
expose :ci_status do |merge_request| expose :ci_status, if: -> (mr, _) { presenter(mr).can_read_pipeline? } do |merge_request|
presenter(merge_request).ci_status presenter(merge_request).ci_status
end end
......
---
title: Add permission check for pipeline status of MR
merge_request:
author:
type: security
...@@ -138,7 +138,7 @@ describe MergeRequestPollWidgetEntity do ...@@ -138,7 +138,7 @@ describe MergeRequestPollWidgetEntity do
end end
describe 'pipeline' do describe 'pipeline' do
let(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) } let!(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) }
before do before do
allow_any_instance_of(MergeRequestPresenter).to receive(:can?).and_call_original allow_any_instance_of(MergeRequestPresenter).to receive(:can?).and_call_original
...@@ -158,6 +158,10 @@ describe MergeRequestPollWidgetEntity do ...@@ -158,6 +158,10 @@ describe MergeRequestPollWidgetEntity do
expect(subject[:pipeline]).to eq(pipeline_payload) expect(subject[:pipeline]).to eq(pipeline_payload)
end end
it 'returns ci_status' do
expect(subject[:ci_status]).to eq('pending')
end
end end
context 'when is not up to date' do context 'when is not up to date' do
...@@ -171,10 +175,15 @@ describe MergeRequestPollWidgetEntity do ...@@ -171,10 +175,15 @@ describe MergeRequestPollWidgetEntity do
context 'when user does not have access to pipelines' do context 'when user does not have access to pipelines' do
let(:result) { false } let(:result) { false }
let(:req) { double('request', current_user: user, project: project) }
it 'does not have pipeline' do it 'does not have pipeline' do
expect(subject[:pipeline]).to eq(nil) expect(subject[:pipeline]).to eq(nil)
end end
it 'does not return ci_status' do
expect(subject[:ci_status]).to eq(nil)
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment