Merge branch 'security-11-6-guests-jobs-api' into 'security-11-6'

[11.6] Guest users have access to all Job information via the API See merge request gitlab/gitlabhq!2744
author: John Jarvis <jarv@gitlab.com> 2018-12-27 11:42:58 +0300
committer: John Jarvis <jarv@gitlab.com> 2018-12-27 11:42:58 +0300
commit: 28abad5fd6a195c900bb6577a6781069ec91a1ce (patch)
tree: c108709f525fe9841463cfefb34aefc38cd848ef /lib
parent: 773337f31100d2ae98c149aea0e6eccb9c54fcbe (diff)
parent: f6f5cf22ef6b611ea0b00f63a2a096f7fb320b7f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index 80a5cbd6b19..45c694b6448 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/jobs' do
+        authorize_read_builds!
+
         builds = user_project.builds.order('id DESC')
         builds = filter_builds(builds, params[:scope])
 
@@ -56,7 +58,10 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/pipelines/:pipeline_id/jobs' do
+        authorize!(:read_pipeline, user_project)
         pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
+        authorize!(:read_build, pipeline)
+
         builds = pipeline.builds
         builds = filter_builds(builds, params[:scope])
         builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])
author	John Jarvis <jarv@gitlab.com>	2018-12-27 11:42:58 +0300
committer	John Jarvis <jarv@gitlab.com>	2018-12-27 11:42:58 +0300
commit	28abad5fd6a195c900bb6577a6781069ec91a1ce (patch)
tree	c108709f525fe9841463cfefb34aefc38cd848ef /lib
parent	773337f31100d2ae98c149aea0e6eccb9c54fcbe (diff)
parent	f6f5cf22ef6b611ea0b00f63a2a096f7fb320b7f (diff)