Add permission check for pipeline status of MR

widget.json endpoint of MRs exposes ci_status to unauthorized users.
This commit will add permission control of pipeline read access.

app/serializers/merge_request_poll_widget_entity.rb

@@ -53,7 +53,7 @@ class MergeRequestPollWidgetEntity < Grape::Entity
 
   # CI related
   expose :has_ci?, as: :has_ci
-  expose :ci_status do |merge_request|
+  expose :ci_status, if: -> (mr, _) { presenter(mr).can_read_pipeline? } do |merge_request|
     presenter(merge_request).ci_status
   end
 

changelogs/unreleased/security-mr-pipeline-status-permission-check.yml

+---
+title: Add permission check for pipeline status of MR
+merge_request:
+author:
+type: security

spec/serializers/merge_request_poll_widget_entity_spec.rb

@@ -138,7 +138,7 @@ describe MergeRequestPollWidgetEntity do
   end
 
   describe 'pipeline' do
-    let(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) }
+    let!(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) }
 
     before do
       allow_any_instance_of(MergeRequestPresenter).to receive(:can?).and_call_original
@@ -158,6 +158,10 @@ describe MergeRequestPollWidgetEntity do
 
           expect(subject[:pipeline]).to eq(pipeline_payload)
         end
+
+        it 'returns ci_status' do
+          expect(subject[:ci_status]).to eq('pending')
+        end
       end
 
       context 'when is not up to date' do
@@ -171,10 +175,15 @@ describe MergeRequestPollWidgetEntity do
 
     context 'when user does not have access to pipelines' do
       let(:result) { false }
+      let(:req) { double('request', current_user: user, project: project) }
 
       it 'does not have pipeline' do
         expect(subject[:pipeline]).to eq(nil)
       end
+
+      it 'does not return ci_status' do
+        expect(subject[:ci_status]).to eq(nil)
+      end
     end
   end
 end