From ae793606e26fd49569af8a235e2ffc41ba4887b1 Mon Sep 17 00:00:00 2001
From: Steve Azzopardi <steveazz@outlook.com>
Date: Tue, 22 Jan 2019 14:37:49 +0100
Subject: [PATCH] Stop showing ci for guest users

When a user is a guest user, and the "Public Pipeline" is set to false
inside of "Settings > CI/CD > General" the commit status in the project
dashboard should not be shown.
---
 app/views/shared/projects/_project.html.haml  |  2 +-
 ...ity-commit-status-shown-for-guest-user.yml |  5 +++++
 spec/features/dashboard/projects_spec.rb      | 21 +++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-commit-status-shown-for-guest-user.yml

diff --git a/app/views/shared/projects/_project.html.haml b/app/views/shared/projects/_project.html.haml
index fea7e17be3d..e1564d57426 100644
--- a/app/views/shared/projects/_project.html.haml
+++ b/app/views/shared/projects/_project.html.haml
@@ -84,7 +84,7 @@
                 title: _('Issues'), data: { container: 'body', placement: 'top' } do
               = sprite_icon('issues', size: 14, css_class: 'append-right-4')
               = number_with_delimiter(project.open_issues_count)
-          - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status?
+          - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? && can?(current_user, :read_build, project)
             %span.icon-wrapper.pipeline-status
               = render_project_pipeline_status(project.pipeline_status, tooltip_placement: 'top')
         .updated-note
diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml
new file mode 100644
index 00000000000..a80170091d0
--- /dev/null
+++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml
@@ -0,0 +1,5 @@
+---
+title: Fix showing ci status for guest users when public pipline are not set
+merge_request:
+author:
+type: security
diff --git a/spec/features/dashboard/projects_spec.rb b/spec/features/dashboard/projects_spec.rb
index edca8f9df08..6c4b04ab76b 100644
--- a/spec/features/dashboard/projects_spec.rb
+++ b/spec/features/dashboard/projects_spec.rb
@@ -147,6 +147,27 @@ describe 'Dashboard Projects' do
         expect(page).to have_link('Commit: passed')
       end
     end
+
+    context 'guest user of project and project has private pipelines' do
+      let(:guest_user) { create(:user) }
+
+      before do
+        project.update(public_builds: false)
+        project.add_guest(guest_user)
+        sign_in(guest_user)
+      end
+
+      it 'shows that the last pipeline passed' do
+        visit dashboard_projects_path
+
+        page.within('.controls') do
+          expect(page).not_to have_xpath("//a[@href='#{pipelines_project_commit_path(project, project.commit, ref: pipeline.ref)}']")
+          expect(page).not_to have_css('.ci-status-link')
+          expect(page).not_to have_css('.ci-status-icon-success')
+          expect(page).not_to have_link('Commit: passed')
+        end
+      end
+    end
   end
 
   context 'last push widget', :use_clean_rails_memory_store_caching do
-- 
GitLab