diff options
author | drew cimino <dcimino@gitlab.com> | 2019-08-21 08:42:28 +0300 |
---|---|---|
committer | drew cimino <dcimino@gitlab.com> | 2019-08-22 10:16:32 +0300 |
commit | f7fbf49929e24e2f9bfec0a68fd450c3547f7a78 (patch) | |
tree | d49d62cb7f89a0e3557980975c1130b943c89401 /app | |
parent | 80c57bf6d13d6025a9568afb9cca36c279fac593 (diff) |
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index f4d381244d9..c9a1f28f87e 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -12,6 +12,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo skip_before_action :merge_request, only: [:index, :bulk_update] before_action :whitelist_query_limiting, only: [:assign_related_issues, :update] before_action :authorize_update_issuable!, only: [:close, :edit, :update, :remove_wip, :sort] + before_action :authorize_test_reports!, only: [:test_reports] before_action :set_issuables_index, only: [:index] before_action :authenticate_user!, only: [:assign_related_issues] before_action :check_user_can_push_to_source_branch!, only: [:rebase] @@ -336,4 +337,9 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo render json: { status_reason: 'Unknown error' }, status: :internal_server_error end end + + def authorize_test_reports! + # MergeRequest#actual_head_pipeline is the pipeline accessed in MergeRequest#compare_reports. + return render_404 unless can?(current_user, :read_build, merge_request.actual_head_pipeline) + end end |