summaryrefslogtreecommitdiff
path: root/lib/api
diff options
context:
space:
mode:
authorTomasz Maczukin <tomasz@maczukin.pl>2016-02-04 14:53:53 +0100
committerTomasz Maczukin <tomasz@maczukin.pl>2016-02-19 13:18:47 +0100
commitf21b15d5f5af150ef39f338a4d4afb495402311a (patch)
tree5bfa6a61003232857d02980c4265e5fe90c780ee /lib/api
parentb58744cd93ed572e4a40ab3f35ff69753a4cd42b (diff)
downloadgitlab-ce-f21b15d5f5af150ef39f338a4d4afb495402311a.tar.gz
Limit projects to user available projects if user is not an admin
Diffstat (limited to 'lib/api')
-rw-r--r--lib/api/entities.rb8
-rw-r--r--lib/api/runners.rb6
2 files changed, 12 insertions, 2 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index af030159580..a8c00542d35 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -388,7 +388,13 @@ module API
expose :version, :revision, :platform, :architecture
expose :contacted_at, as: :last_contact
expose :token, if: lambda { |runner, options| options[:user_is_admin] || !runner.is_shared? }
- expose :projects, with: Entities::RunnerProjectDetails
+ expose :projects, with: Entities::RunnerProjectDetails do |runner, options|
+ if options[:user_is_admin]
+ runner.projects
+ else
+ runner.projects.where(id: options[:available_projects_ids])
+ end
+ end
end
class Build < Grape::Entity
diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index c08d6729dd8..4a0e68a4ddb 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -33,7 +33,11 @@ module API
runner = get_runner(params[:id])
authenticate_show_runner!(runner)
- present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?
+ available_projects_ids = runner.projects.select{ |p| can?(current_user, :read_project, p) }
+ .map(&:id) unless current_user.is_admin?
+
+ present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?,
+ available_projects_ids: available_projects_ids
end
# Update runner's details