Fix security breachingfeature/sm/34518-extend-api-pipeline-schedule-variable-new

2 files changed, 14 insertions, 2 deletions

diff --git a/lib/api/pipeline_schedules.rb b/lib/api/pipeline_schedules.rb
index 51baf12e287..37f32411296 100644
--- a/lib/api/pipeline_schedules.rb
+++ b/lib/api/pipeline_schedules.rb
@@ -167,7 +167,7 @@ module API
             .pipeline_schedules
             .preload(:owner, :last_pipeline)
             .find_by(id: params.delete(:pipeline_schedule_id)).tap do |pipeline_schedule|
-              unless pipeline_schedule || can?(current_user, :read_pipeline_schedule, pipeline_schedule)
+              unless can?(current_user, :read_pipeline_schedule, pipeline_schedule)
                 not_found!('Pipeline Schedule')
               end
             end
diff --git a/spec/requests/api/pipeline_schedules_spec.rb b/spec/requests/api/pipeline_schedules_spec.rb
index 86e834b5a22..f650df57383 100644
--- a/spec/requests/api/pipeline_schedules_spec.rb
+++ b/spec/requests/api/pipeline_schedules_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe API::PipelineSchedules do
   set(:developer) { create(:user) }
   set(:user) { create(:user) }
-  set(:project) { create(:project, :repository) }
+  set(:project) { create(:project, :repository, public_builds: false) }
 
   before do
     project.add_developer(developer)
@@ -110,6 +110,18 @@ describe API::PipelineSchedules do
       end
     end
 
+    context 'authenticated user with insufficient permissions' do
+      before do
+        project.add_guest(user)
+      end
+
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
     context 'unauthenticated user' do
       it 'does not return pipeline_schedules list' do
         get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")