Authorize read_build action when listing jobs

author: Matija Čupić <matteeyah@gmail.com> 2018-12-14 18:36:33 +0300
committer: Matija Čupić <matteeyah@gmail.com> 2018-12-22 14:20:06 +0300
commit: 37954d6227734f3e4c09aa1415f7e15b8743c93e (patch)
tree: 5fd7151a4332f84537fafc050f2cafd670f34ef9
parent: ee75bc48add946872185ef63fbad272ca35156d8 (diff)
2 files changed, 15 insertions, 3 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index fa992b9a440..b9b95734f33 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/jobs' do
+        authorize_read_builds!
+
         builds = user_project.builds.order('id DESC')
         builds = filter_builds(builds, params[:scope])
 
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 8770365c893..fcb704379b1 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
     end
 
     context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }
 
-      it 'does not return project jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
author	Matija Čupić <matteeyah@gmail.com>	2018-12-14 18:36:33 +0300
committer	Matija Čupić <matteeyah@gmail.com>	2018-12-22 14:20:06 +0300
commit	37954d6227734f3e4c09aa1415f7e15b8743c93e (patch)
tree	5fd7151a4332f84537fafc050f2cafd670f34ef9
parent	ee75bc48add946872185ef63fbad272ca35156d8 (diff)