Fix deprecated CI build status badge permissions

app/controllers/ci/projects_controller.rb

@@ -3,6 +3,7 @@ module Ci
     before_action :project
     before_action :authorize_read_project!, except: [:badge]
     before_action :no_cache, only: [:badge]
+    skip_before_action :authenticate_user!, only: [:badge]
     protect_from_forgery
 
     def show
@@ -18,6 +19,8 @@ module Ci
     #
     def badge
       return render_404 unless @project
+      authenticate_user! unless @project.public?
+
       image = Ci::ImageForBuildService.new.execute(@project, params)
       send_file image.path, filename: image.name, disposition: 'inline', type:"image/svg+xml"
     end

spec/controllers/ci/projects_controller_spec.rb

+require 'spec_helper'
+
+describe Ci::ProjectsController do
+  let(:visibility) { :public }
+  let!(:project) { create(:project, visibility, ci_id: 1) }
+  let(:ci_id) { project.ci_id }
+
+  ##
+  # Specs for *deprecated* CI badge
+  #
+  describe '#badge' do
+    context 'user not signed in'
+      before { get(:badge, id: ci_id) }
+
+      context 'project has no ci_id reference' do
+        let(:ci_id) { 123 }
+
+        it 'returns 404' do
+          expect(response.status).to eq 404
+        end
+      end
+
+      context 'project is public' do
+        let(:visibility) { :public }
+
+        it 'is available without authentication' do
+          expect(response.status).to eq 200
+        end
+      end
+
+      context 'project is private' do
+        let(:visibility) { :private }
+
+        it 'requires authentication' do
+          expect(response.status).to eq 302
+        end
+      end
+
+    context 'user signed in' do
+      let(:user) { create(:user) }
+      before { sign_in(user) }
+      before { get(:badge, id: ci_id) }
+
+      context 'private is internal' do
+        let(:visibility) { :internal }
+
+        it 'shows badge to signed in user' do
+          expect(response.status).to eq 200
+        end
+      end
+    end
+  end
+end