Merge branch 'security-12-0-mr-head-pipeline-leak' into '12-0-stable'

Fix MR head pipeline leak See merge request gitlab/gitlabhq!3154
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-27 00:41:00 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-27 00:41:00 +0300
commit: dd6e07eee94fec79c052a7ec0182b4196f8db91b (patch)
tree: 25ff2147ef4c657ceeb997c14ebd38e7876a7089 /lib
parent: 87c6c8dabc402c4692e426d48d58febd4994be7f (diff)
parent: 21b8ccde8af20e5ae35e66de32fbb7947bc70372 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 9c7a7fad742..effb5b1358c 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -757,7 +757,9 @@ module API
         merge_request.metrics&.pipeline
       end
 
-      expose :head_pipeline, using: 'API::Entities::Pipeline'
+      expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do
+        Ability.allowed?(options[:current_user], :read_pipeline, options[:project])
+      end
 
       expose :diff_refs, using: Entities::DiffRefs
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-27 00:41:00 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-27 00:41:00 +0300
commit	dd6e07eee94fec79c052a7ec0182b4196f8db91b (patch)
tree	25ff2147ef4c657ceeb997c14ebd38e7876a7089 /lib
parent	87c6c8dabc402c4692e426d48d58febd4994be7f (diff)
parent	21b8ccde8af20e5ae35e66de32fbb7947bc70372 (diff)