Commit c7ea2861 authored by Matija Čupić's avatar Matija Čupić

Authorize read_build action when listing jobs

parent f9fd9b1d
......@@ -38,6 +38,8 @@ module API
end
# rubocop: disable CodeReuse/ActiveRecord
get ':id/jobs' do
authorize_read_builds!
builds = user_project.builds.order('id DESC')
builds = filter_builds(builds, params[:scope])
......
......@@ -142,10 +142,20 @@ describe API::Jobs do
end
context 'unauthorized user' do
let(:api_user) { nil }
context 'when user is not logged in' do
let(:api_user) { nil }
it 'does not return project jobs' do
expect(response).to have_gitlab_http_status(401)
it 'does not return project jobs' do
expect(response).to have_gitlab_http_status(401)
end
end
context 'when user is guest' do
let(:api_user) { guest }
it 'does not return project jobs' do
expect(response).to have_gitlab_http_status(403)
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment