From 633ddc9ed98c690c082c7347422ac85f9b592fb4 Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Tue, 15 Nov 2016 16:25:37 +0100
Subject: fix authorization of builds and added relevant spec

---
 app/controllers/projects/cycle_analytics/events_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'app/controllers/projects/cycle_analytics')

diff --git a/app/controllers/projects/cycle_analytics/events_controller.rb b/app/controllers/projects/cycle_analytics/events_controller.rb
index cc75dc247d3..cb52dfc830a 100644
--- a/app/controllers/projects/cycle_analytics/events_controller.rb
+++ b/app/controllers/projects/cycle_analytics/events_controller.rb
@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
   include CycleAnalyticsParams
 
   before_action :authorize_read_cycle_analytics!
-  before_action :authorize_read_builds!, only: [:test, :staging]
+  before_action :authorize_builds!, only: [:test, :staging]
 
   def issue
     render_events(events.issue_events)
@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
 
     params[:events].slice(:start_date, :branch_name)
   end
+
+  def authorize_builds!
+    return access_denied! unless current_user.can?(:read_build, project)
+  end
 end
-- 
cgit v1.2.3