Merge branch 'rf-mr-reports' into 'master'

Ensure proper access for sast_reports See merge request gitlab-org/gitlab-ee!15783

Merge branch 'rf-mr-reports' into 'master'
Ensure proper access for sast_reports See merge request gitlab-org/gitlab-ee!15783
98104ffa · Rémy Coutable · b2ab0be6 · f9a50954 · 98104ffa · 98104ffa
Commit 98104ffa authored Aug 29, 2019 by Rémy Coutable
2 changed files
--- a/ee/app/controllers/ee/projects/merge_requests_controller.rb
+++ b/ee/app/controllers/ee/projects/merge_requests_controller.rb
@@ -18,6 +18,7 @@ module EE

        before_action :whitelist_query_limiting_ee_merge, only: [:merge]
        before_action :whitelist_query_limiting_ee_show, only: [:show]
+        before_action :authorize_read_pipeline!, only: [:sast_reports]
      end

      def approve

--- a/ee/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/ee/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -648,6 +648,21 @@ describe Projects::MergeRequestsController do
        expect(json_response).to eq({ 'status_reason' => 'Unknown error' })
      end
    end
+
+    context 'public project with private builds' do
+      let(:comparison_status) { {} }
+      let(:project) { create(:project, :public, :builds_private) }
+
+      before do
+        sign_out user
+      end
+
+      it 'restricts unauthorized access' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
  end

  describe 'GET #license_management_reports' do