Skip to content

G
gitlab-ce
Commit 633ddc9e authored by James Lopez's avatar James Lopez
Browse files
Options

fix authorization of builds and added relevant spec

parent f93607a3
Hide whitespace changes
Inline Side-by-side
Showing with 30 additions and 2 deletions
app/controllers/projects/cycle_analytics/events_controller.rb
View file @ 633ddc9e
...@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll ...@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
include CycleAnalyticsParams include CycleAnalyticsParams
before_action :authorize_read_cycle_analytics! before_action :authorize_read_cycle_analytics!
before_action :authorize_read_builds!, only: [:test, :staging] before_action :authorize_builds!, only: [:test, :staging]
def issue def issue
render_events(events.issue_events) render_events(events.issue_events)
...@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll ...@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
params[:events].slice(:start_date, :branch_name) params[:events].slice(:start_date, :branch_name)
end end
def authorize_builds!
return access_denied! unless current_user.can?(:read_build, project)
end
end end
spec/requests/projects/cycle_analytics_events_spec.rb
View file @ 633ddc9e
...@@ -39,7 +39,7 @@ describe 'cycle analytics events' do ...@@ -39,7 +39,7 @@ describe 'cycle analytics events' do
newest_sha = commits.sort_by { |k| k['date'] }.first[:sha][0...8] newest_sha = commits.sort_by { |k| k['date'] }.first[:sha][0...8]
expect(json_response['events'].first['sha']).to eq(newest_sha) expect(json_response['events'].first['short_sha']).to eq(newest_sha)
end end
it 'lists the code events' do it 'lists the code events' do
...@@ -99,6 +99,30 @@ describe 'cycle analytics events' do ...@@ -99,6 +99,30 @@ describe 'cycle analytics events' do
expect(json_response['events'].first['date']).not_to be_empty expect(json_response['events'].first['date']).not_to be_empty
end end
end end
context 'with private project and builds' do
before do
ProjectMember.first.update(access_level: Gitlab::Access::GUEST)
end
it 'does not list the test events' do
get namespace_project_cycle_analytics_test_path(project.namespace, project, format: :json)
expect(response).to have_http_status(:not_found)
end
it 'does not list the staging events' do
get namespace_project_cycle_analytics_staging_path(project.namespace, project, format: :json)
expect(response).to have_http_status(:not_found)
end
it 'lists the issue events' do
get namespace_project_cycle_analytics_issue_path(project.namespace, project, format: :json)
expect(response).to have_http_status(:ok)
end
end
end end
def json_response def json_response
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7