Do not require API authentication if artifacts are public

author: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2017-09-05 14:22:15 +0300
committer: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2017-09-05 14:22:15 +0300
commit: d4154ef30f52b30054e8e5d9bbf172d8700e8049 (patch)
tree: 379a4046e5f6bc9689f5f6153b5af56e04a090f1 /spec/requests
parent: 3b874414c06156767117b7aa7ae705c7342d887c (diff)
1 files changed, 38 insertions, 7 deletions
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 9a113096951..dd2aed38412 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -196,13 +196,43 @@ describe API::Jobs do
         'other_artifacts_0.1.2/another-subdirectory/banana_sample.gif'
       end
 
-      context 'when user is not unauthorized' do
+      context 'when user is anonymous' do
         let(:api_user) { nil }
 
-        it 'does not return specific job artifacts' do
-          get_artifact_file(artifact)
+        context 'when project is public' do
+          it 'allows to access artifacts' do
+            project.update_column(:visibility_level,
+                                  Gitlab::VisibilityLevel::PUBLIC)
+            project.update_column(:public_builds, true)
+
+            get_artifact_file(artifact)
+
+            expect(response).to have_http_status(200)
+          end
+        end
+
+        context 'when project is public with builds access disabled' do
+          it 'rejects access to artifacts' do
+            project.update_column(:visibility_level,
+                                  Gitlab::VisibilityLevel::PUBLIC)
+            project.update_column(:public_builds, false)
 
-          expect(response).to have_http_status(401)
+            get_artifact_file(artifact)
+
+            expect(response).to have_http_status(403)
+          end
+        end
+
+        context 'when project is private' do
+          it 'rejects access and hides existence of artifacts' do
+            project.update_column(:visibility_level,
+                                  Gitlab::VisibilityLevel::PRIVATE)
+            project.update_column(:public_builds, true)
+
+            get_artifact_file(artifact)
+
+            expect(response).to have_http_status(404)
+          end
         end
       end
 
@@ -257,11 +287,12 @@ describe API::Jobs do
         end
       end
 
-      context 'unauthorized user' do
+      context 'when anonymous user is accessing private artifacts' do
         let(:api_user) { nil }
 
-        it 'does not return specific job artifacts' do
-          expect(response).to have_http_status(401)
+        it 'hides artifacts and rejects request' do
+          expect(project).to be_private
+          expect(response).to have_http_status(404)
         end
       end
     end
author	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2017-09-05 14:22:15 +0300
committer	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2017-09-05 14:22:15 +0300
commit	d4154ef30f52b30054e8e5d9bbf172d8700e8049 (patch)
tree	379a4046e5f6bc9689f5f6153b5af56e04a090f1 /spec/requests
parent	3b874414c06156767117b7aa7ae705c7342d887c (diff)