Add permissions check to pipelines#show action

This check renders a 404 in case the user trying to access the pipeline details page doesn't have enough permissions Changelog: security

Add permissions check to pipelines#show action
This check renders a 404 in case the user trying to access the pipeline details page doesn't have enough permissions Changelog: security
d2a4ccdc · Jose Vargas · 4ad862fa · d2a4ccdc · d2a4ccdc · d2a4ccdc
Commit d2a4ccdc authored Jul 19, 2021 by Jose Vargas
3 changed files
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -8,7 +8,7 @@ class Projects::PipelinesController < Projects::ApplicationController
  before_action :pipeline, except: [:index, :new, :create, :charts, :config_variables]
  before_action :set_pipeline_path, only: [:show]
  before_action :authorize_read_pipeline!
-  before_action :authorize_read_build!, only: [:index]
+  before_action :authorize_read_build!, only: [:index, :show]
  before_action :authorize_read_analytics!, only: [:charts]
  before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
  before_action :authorize_update_pipeline!, only: [:retry, :cancel]

--- a/spec/controllers/projects/pipelines_controller_spec.rb
+++ b/spec/controllers/projects/pipelines_controller_spec.rb
@@ -302,16 +302,15 @@ RSpec.describe Projects::PipelinesController do
  end

  describe 'GET #show' do
-    render_views
-
-    let_it_be(:pipeline) { create(:ci_pipeline, project: project) }
-
-    subject { get_pipeline_html }
-
    def get_pipeline_html
      get :show, params: { namespace_id: project.namespace, project_id: project, id: pipeline }, format: :html
    end

+    context 'when the project is public' do
+      render_views
+
+      let_it_be(:pipeline) { create(:ci_pipeline, project: project) }
+
      def create_build_with_artifacts(stage, stage_idx, name)
        create(:ci_build, :artifacts, :tags, pipeline: pipeline, stage: stage, stage_idx: stage_idx, name: name)
      end
@@ -322,8 +321,6 @@ RSpec.describe Projects::PipelinesController do
      end

      it 'avoids N+1 database queries', :request_store do
-      get_pipeline_html
-
        control_count = ActiveRecord::QueryRecorder.new { get_pipeline_html }.count
        expect(response).to have_gitlab_http_status(:ok)

@@ -334,6 +331,20 @@ RSpec.describe Projects::PipelinesController do
      end
    end

+    context 'when the project is private' do
+      let(:project) { create(:project, :private, :repository) }
+      let(:pipeline) { create(:ci_pipeline, project: project) }
+
+      it 'returns `not_found` when the user does not have access' do
+        sign_in(create(:user))
+
+        get_pipeline_html
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
  describe 'GET show.json' do
    let(:pipeline) { create(:ci_pipeline, project: project) }


--- a/spec/features/projects/pipelines/pipeline_spec.rb
+++ b/spec/features/projects/pipelines/pipeline_spec.rb
@@ -365,9 +365,8 @@ RSpec.describe 'Pipeline', :js do
        let(:project) { create(:project, :public, :repository, public_builds: false) }
        let(:role) { :guest }

-        it 'does not show failed jobs tab pane' do
-          expect(page).to have_link('Pipeline')
-          expect(page).not_to have_content('Failed Jobs')
+        it 'does not show the pipeline details page' do
+          expect(page).to have_content('Not Found')
        end
      end
    end