diff options
author | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-02-04 14:53:53 +0100 |
---|---|---|
committer | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-02-19 13:18:47 +0100 |
commit | f21b15d5f5af150ef39f338a4d4afb495402311a (patch) | |
tree | 5bfa6a61003232857d02980c4265e5fe90c780ee /lib/api | |
parent | b58744cd93ed572e4a40ab3f35ff69753a4cd42b (diff) | |
download | gitlab-ce-f21b15d5f5af150ef39f338a4d4afb495402311a.tar.gz |
Limit projects to user available projects if user is not an admin
Diffstat (limited to 'lib/api')
-rw-r--r-- | lib/api/entities.rb | 8 | ||||
-rw-r--r-- | lib/api/runners.rb | 6 |
2 files changed, 12 insertions, 2 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index af030159580..a8c00542d35 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -388,7 +388,13 @@ module API expose :version, :revision, :platform, :architecture expose :contacted_at, as: :last_contact expose :token, if: lambda { |runner, options| options[:user_is_admin] || !runner.is_shared? } - expose :projects, with: Entities::RunnerProjectDetails + expose :projects, with: Entities::RunnerProjectDetails do |runner, options| + if options[:user_is_admin] + runner.projects + else + runner.projects.where(id: options[:available_projects_ids]) + end + end end class Build < Grape::Entity diff --git a/lib/api/runners.rb b/lib/api/runners.rb index c08d6729dd8..4a0e68a4ddb 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -33,7 +33,11 @@ module API runner = get_runner(params[:id]) authenticate_show_runner!(runner) - present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin? + available_projects_ids = runner.projects.select{ |p| can?(current_user, :read_project, p) } + .map(&:id) unless current_user.is_admin? + + present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?, + available_projects_ids: available_projects_ids end # Update runner's details |