From c7ea28612a210811696dae50d6ca948c85566da2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Fri, 14 Dec 2018 16:36:33 +0100
Subject: Authorize read_build action when listing jobs

---
 lib/api/jobs.rb                |  2 ++
 spec/requests/api/jobs_spec.rb | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index 80a5cbd6b19..3cfeb9a2784 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -38,6 +38,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/jobs' do
+        authorize_read_builds!
+
         builds = user_project.builds.order('id DESC')
         builds = filter_builds(builds, params[:scope])
 
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 73131dba542..6deb842b0bc 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -142,10 +142,20 @@ describe API::Jobs do
     end
 
     context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }
 
-      it 'does not return project jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return project jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
 
-- 
cgit v1.2.3


From a1c77f2d34d979016499e4fa15b49e67d5666d63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Fri, 14 Dec 2018 16:42:04 +0100
Subject: Authorize read_build when listing pipeline jobs

---
 lib/api/jobs.rb                |  2 ++
 spec/requests/api/jobs_spec.rb | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index 3cfeb9a2784..bd704f3bf25 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -59,6 +59,8 @@ module API
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/pipelines/:pipeline_id/jobs' do
         pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
+        authorize!(:read_build, pipeline)
+
         builds = pipeline.builds
         builds = filter_builds(builds, params[:scope])
         builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace])
diff --git a/spec/requests/api/jobs_spec.rb b/spec/requests/api/jobs_spec.rb
index 6deb842b0bc..97aa71bf231 100644
--- a/spec/requests/api/jobs_spec.rb
+++ b/spec/requests/api/jobs_spec.rb
@@ -251,10 +251,20 @@ describe API::Jobs do
     end
 
     context 'unauthorized user' do
-      let(:api_user) { nil }
+      context 'when user is not logged in' do
+        let(:api_user) { nil }
 
-      it 'does not return jobs' do
-        expect(response).to have_gitlab_http_status(401)
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:api_user) { guest }
+
+        it 'does not return jobs' do
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
   end
-- 
cgit v1.2.3


From 89b856e76c5e77428535f169350443272a34e1d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Tue, 18 Dec 2018 14:36:26 +0100
Subject: Authorize read_pipeline before read_build

---
 lib/api/jobs.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index bd704f3bf25..e2ab60f3855 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -59,6 +59,7 @@ module API
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/pipelines/:pipeline_id/jobs' do
         pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
+        authorize!(:read_pipeline, user_project)
         authorize!(:read_build, pipeline)
 
         builds = pipeline.builds
-- 
cgit v1.2.3


From ccc227e6674e5ae42519776b82ce899193973496 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Thu, 20 Dec 2018 04:09:47 +0100
Subject: Move pipeline auth above pipeline assignment

---
 lib/api/jobs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb
index e2ab60f3855..45c694b6448 100644
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -58,8 +58,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/pipelines/:pipeline_id/jobs' do
-        pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
         authorize!(:read_pipeline, user_project)
+        pipeline = user_project.ci_pipelines.find(params[:pipeline_id])
         authorize!(:read_build, pipeline)
 
         builds = pipeline.builds
-- 
cgit v1.2.3


From e783ad5b7ad16409a49afd10fa859dd19115164b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Sat, 22 Dec 2018 13:53:17 +0100
Subject: Add CHANGELOG entry

---
 changelogs/unreleased/security-master-guests-jobs-api.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changelogs/unreleased/security-master-guests-jobs-api.yml

diff --git a/changelogs/unreleased/security-master-guests-jobs-api.yml b/changelogs/unreleased/security-master-guests-jobs-api.yml
new file mode 100644
index 00000000000..83022e91aca
--- /dev/null
+++ b/changelogs/unreleased/security-master-guests-jobs-api.yml
@@ -0,0 +1,5 @@
+---
+title: Authorize before reading job information via API.
+merge_request:
+author:
+type: security
-- 
cgit v1.2.3