From bd96ffb2ee863890f71c67b19230cfe2761c9612 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= Date: Fri, 14 Dec 2018 16:36:33 +0100 Subject: Authorize read_build action when listing jobs --- lib/api/jobs.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib') diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 80a5cbd6b19..3cfeb9a2784 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -38,6 +38,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do + authorize_read_builds! + builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) -- cgit v1.2.3 From b19065594989d13a417660fc346f6213cd73674d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= Date: Fri, 14 Dec 2018 16:42:04 +0100 Subject: Authorize read_build when listing pipeline jobs --- lib/api/jobs.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib') diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 3cfeb9a2784..bd704f3bf25 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -59,6 +59,8 @@ module API # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) + authorize!(:read_build, pipeline) + builds = pipeline.builds builds = filter_builds(builds, params[:scope]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) -- cgit v1.2.3 From 8a36125ada579300f746e0f2207282149acdf1b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= Date: Tue, 18 Dec 2018 14:36:26 +0100 Subject: Authorize read_pipeline before read_build --- lib/api/jobs.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'lib') diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index bd704f3bf25..e2ab60f3855 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -59,6 +59,7 @@ module API # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) + authorize!(:read_pipeline, user_project) authorize!(:read_build, pipeline) builds = pipeline.builds -- cgit v1.2.3 From 0c714937eb868af55c37f1e4900c20dc7015f9c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= Date: Thu, 20 Dec 2018 04:09:47 +0100 Subject: Move pipeline auth above pipeline assignment --- lib/api/jobs.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index e2ab60f3855..45c694b6448 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -58,8 +58,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do - pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) authorize!(:read_pipeline, user_project) + pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) authorize!(:read_build, pipeline) builds = pipeline.builds -- cgit v1.2.3