diff options
author | drew cimino <dcimino@gitlab.com> | 2019-08-21 08:42:28 +0300 |
---|---|---|
committer | drew cimino <dcimino@gitlab.com> | 2019-08-22 10:20:07 +0300 |
commit | 47dcc36b0b5aaa289e109ac1a456dcbc2a263337 (patch) | |
tree | 6129532d43f1f4c31865139ab2137944a491ea7a /app | |
parent | 4a6d22ba439cb20937669c4aa2046acffb36a60e (diff) |
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index f4d381244d9..c9a1f28f87e 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -12,6 +12,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo skip_before_action :merge_request, only: [:index, :bulk_update] before_action :whitelist_query_limiting, only: [:assign_related_issues, :update] before_action :authorize_update_issuable!, only: [:close, :edit, :update, :remove_wip, :sort] + before_action :authorize_test_reports!, only: [:test_reports] before_action :set_issuables_index, only: [:index] before_action :authenticate_user!, only: [:assign_related_issues] before_action :check_user_can_push_to_source_branch!, only: [:rebase] @@ -336,4 +337,9 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo render json: { status_reason: 'Unknown error' }, status: :internal_server_error end end + + def authorize_test_reports! + # MergeRequest#actual_head_pipeline is the pipeline accessed in MergeRequest#compare_reports. + return render_404 unless can?(current_user, :read_build, merge_request.actual_head_pipeline) + end end |