From 633ddc9ed98c690c082c7347422ac85f9b592fb4 Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Tue, 15 Nov 2016 16:25:37 +0100
Subject: [PATCH] fix authorization of builds and added relevant spec

---
 .../cycle_analytics/events_controller.rb      |  6 ++++-
 .../projects/cycle_analytics_events_spec.rb   | 26 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/controllers/projects/cycle_analytics/events_controller.rb b/app/controllers/projects/cycle_analytics/events_controller.rb
index cc75dc247d3..cb52dfc830a 100644
--- a/app/controllers/projects/cycle_analytics/events_controller.rb
+++ b/app/controllers/projects/cycle_analytics/events_controller.rb
@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
   include CycleAnalyticsParams
 
   before_action :authorize_read_cycle_analytics!
-  before_action :authorize_read_builds!, only: [:test, :staging]
+  before_action :authorize_builds!, only: [:test, :staging]
 
   def issue
     render_events(events.issue_events)
@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
 
     params[:events].slice(:start_date, :branch_name)
   end
+
+  def authorize_builds!
+    return access_denied! unless current_user.can?(:read_build, project)
+  end
 end
diff --git a/spec/requests/projects/cycle_analytics_events_spec.rb b/spec/requests/projects/cycle_analytics_events_spec.rb
index d4da8707ea5..ef6e4c80911 100644
--- a/spec/requests/projects/cycle_analytics_events_spec.rb
+++ b/spec/requests/projects/cycle_analytics_events_spec.rb
@@ -39,7 +39,7 @@ describe 'cycle analytics events' do
 
       newest_sha = commits.sort_by { |k| k['date'] }.first[:sha][0...8]
 
-      expect(json_response['events'].first['sha']).to eq(newest_sha)
+      expect(json_response['events'].first['short_sha']).to eq(newest_sha)
     end
 
     it 'lists the code events' do
@@ -99,6 +99,30 @@ describe 'cycle analytics events' do
         expect(json_response['events'].first['date']).not_to be_empty
       end
     end
+
+    context 'with private project and builds' do
+      before do
+        ProjectMember.first.update(access_level: Gitlab::Access::GUEST)
+      end
+
+      it 'does not list the test events' do
+        get namespace_project_cycle_analytics_test_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it 'does not list the staging events' do
+        get namespace_project_cycle_analytics_staging_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it 'lists the issue events' do
+        get namespace_project_cycle_analytics_issue_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
   end
 
   def json_response
-- 
GitLab