Guests can read builds if those are public

Fixes #18448

Guests can read builds if those are public
Fixes #18448
617f43c7 · Z.J. van de Weg · Z.J. van de Weg · bd674591 · 617f43c7 · 617f43c7
Commit 617f43c7 authored Oct 13, 2016 by Z.J. van de Weg Committed by Z.J. van de Weg Dec 04, 2016
7 changed files
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
 module Ci
  class BuildPolicy < CommitStatusPolicy
    def rules
+      can! :read_build if @subject.project.public_builds?
      super
      # If we can't read build we should also not have that

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -46,6 +46,11 @@ class ProjectPolicy < BasePolicy
    can! :create_note
    can! :upload_file
    can! :read_cycle_analytics
+    if project.public_builds?
+      can! :read_pipeline
+      can! :read_build
+    end
  end
  def reporter_access!

--- a/changelogs/unreleased/zj-guest-reads-public-builds.yml
+++ b/changelogs/unreleased/zj-guest-reads-public-builds.yml
+---
+title: Guests can read builds when public
+merge_request: 6842
+author: 
--- a/spec/features/projects/guest_navigation_menu_spec.rb
+++ b/spec/features/projects/guest_navigation_menu_spec.rb
 require 'spec_helper'
 describe "Guest navigation menu" do
-  let(:project) { create :empty_project, :private }
+  let(:project) { create(:empty_project, :private, public_builds: false) }
-  let(:guest) { create :user }
+  let(:guest) { create(:user) }
  before do
    project.team << [guest, :guest]

--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -260,6 +260,19 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
+    context 'when public builds is enabled' do
+      it { is_expected.to be_allowed_for guest }
+    end
+    context 'when public buils are disabled' do
+      before do
+        project.public_builds = false
+        project.save
+      end
+      it { is_expected.to be_denied_for guest }
+    end
  end
  describe "GET /:project_path/pipelines/:id" do
@@ -275,6 +288,19 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
+    context 'when public builds is enabled' do
+      it { is_expected.to be_allowed_for guest }
+    end
+    context 'when public buils are disabled' do
+      before do
+        project.public_builds = false
+        project.save
+      end
+      it { is_expected.to be_denied_for guest }
+    end
  end
  describe "GET /:project_path/builds" do
@@ -289,6 +315,19 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
+    context 'when public builds is enabled' do
+      it { is_expected.to be_allowed_for guest }
+    end
+    context 'when public buils are disabled' do
+      before do
+        project.public_builds = false
+        project.save
+      end
+      it { is_expected.to be_denied_for guest }
+    end
  end
  describe "GET /:project_path/builds/:id" do
@@ -305,6 +344,19 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
+    context 'when public builds is enabled' do
+      it { is_expected.to be_allowed_for guest }
+    end
+    context 'when public buils are disabled' do
+      before do
+        project.public_builds = false
+        project.save
+      end
+      it { is_expected.to be_denied_for guest }
+    end
  end
  describe "GET /:project_path/environments" do

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -111,13 +111,35 @@ describe ProjectPolicy, models: true do
    context 'guests' do
      let(:current_user) { guest }
-      it do
+      context 'public builds enabled' do
-        is_expected.to include(*guest_permissions)
+        let(:reporter_public_build_permissions) do
-        is_expected.not_to include(*reporter_permissions)
+          reporter_permissions - [:read_build, :read_pipeline]
-        is_expected.not_to include(*team_member_reporter_permissions)
+        end
-        is_expected.not_to include(*developer_permissions)
-        is_expected.not_to include(*master_permissions)
+        it do
-        is_expected.not_to include(*owner_permissions)
+          is_expected.to include(*guest_permissions)
+          is_expected.not_to include(*reporter_public_build_permissions)
+          is_expected.not_to include(*team_member_reporter_permissions)
+          is_expected.not_to include(*developer_permissions)
+          is_expected.not_to include(*master_permissions)
+          is_expected.not_to include(*owner_permissions)
+        end
+      end
+      context 'public builds disabled' do
+        before do
+          project.public_builds = false
+          project.save
+        end
+        it do
+          is_expected.to include(*guest_permissions)
+          is_expected.not_to include(*reporter_permissions)
+          is_expected.not_to include(*team_member_reporter_permissions)
+          is_expected.not_to include(*developer_permissions)
+          is_expected.not_to include(*master_permissions)
+          is_expected.not_to include(*owner_permissions)
+        end
      end
    end

--- a/spec/requests/api/builds_spec.rb
+++ b/spec/requests/api/builds_spec.rb
@@ -5,7 +5,7 @@ describe API::Builds, api: true do
  let(:user) { create(:user) }
  let(:api_user) { user }
-  let!(:project) { create(:project, creator_id: user.id) }
+  let!(:project) { create(:project, creator_id: user.id, public_builds: false) }
  let!(:developer) { create(:project_member, :developer, user: user, project: project) }
  let(:reporter) { create(:project_member, :reporter, project: project) }
  let(:guest) { create(:project_member, :guest, project: project) }