gocd · ketan · Apr 27, 2018 · Apr 26, 2018
diff --git a/server/webapp/WEB-INF/rails.new/app/controllers/api_v3/admin/plugin_infos_controller.rb b/server/webapp/WEB-INF/rails.new/app/controllers/api_v3/admin/plugin_infos_controller.rb
@@ -18,6 +18,8 @@ module ApiV3
   module Admin
     class PluginInfosController < BaseController
 
+      before_action :check_user_and_401
+
       PLUGIN_TYPES_FOR_VERSION = [
         PluginConstants.AUTHORIZATION_EXTENSION,
         PluginConstants.ELASTIC_AGENT_EXTENSION,
@@ -28,8 +30,6 @@ class PluginInfosController < BaseController
         PluginConstants.CONFIG_REPO_EXTENSION
       ]
 
-      before_action :check_admin_user_or_group_admin_user_and_401
-
       def index
         plugin_infos = default_plugin_info_finder.allPluginInfos(params[:type]).reject do |combined_plugin_info|
           combined_plugin_info.nil? || is_non_nil_and_unsupported?(combined_plugin_info)

diff --git a/server/webapp/WEB-INF/rails.new/app/controllers/api_v4/admin/plugin_infos_controller.rb b/server/webapp/WEB-INF/rails.new/app/controllers/api_v4/admin/plugin_infos_controller.rb
@@ -18,6 +18,8 @@ module ApiV4
   module Admin
     class PluginInfosController < BaseController
 
+      before_action :check_user_and_401
+
       PLUGIN_TYPES_FOR_VERSION = [
         PluginConstants.AUTHORIZATION_EXTENSION,
         PluginConstants.ELASTIC_AGENT_EXTENSION,

diff --git a/...er/webapp/WEB-INF/rails.new/spec/controllers/api_v3/admin/plugin_infos_controller_spec.rb b/...er/webapp/WEB-INF/rails.new/spec/controllers/api_v3/admin/plugin_infos_controller_spec.rb
@@ -39,21 +39,16 @@
         expect(controller).to allow_action(:get, :show)
       end
 
-      it 'should disallow non-admin user, with security enabled' do
+      it 'should allow non-admin user, with security enabled' do
         enable_security
         login_as_user
-        expect(controller).to disallow_action(:get, :show, {:id => 'plugin_id'}).with(401, 'You are not authorized to perform this action.')
+        expect(controller).to allow_action(:get, :show, {:id => 'plugin_id'})
       end
 
       it 'should allow admin users, with security enabled' do
         login_as_admin
         expect(controller).to allow_action(:get, :show)
       end
-
-      it 'should allow pipeline group admin users, with security enabled' do
-        login_as_group_admin
-        expect(controller).to allow_action(:get, :show)
-      end
     end
 
     describe "index" do
@@ -62,21 +57,16 @@
         expect(controller).to allow_action(:get, :index)
       end
 
-      it 'should disallow non-admin user, with security enabled' do
+      it 'should allow non-admin user, with security enabled' do
         enable_security
         login_as_user
-        expect(controller).to disallow_action(:get, :index).with(401, 'You are not authorized to perform this action.')
+        expect(controller).to allow_action(:get, :index)
       end
 
       it 'should allow admin users, with security enabled' do
         login_as_admin
         expect(controller).to allow_action(:get, :index)
       end
-
-      it 'should allow pipeline group admin users, with security enabled' do
-        login_as_group_admin
-        expect(controller).to allow_action(:get, :index)
-      end
     end
   end
 
@@ -299,4 +289,4 @@
       end
     end
   end
-end
+end
diff --git a/...er/webapp/WEB-INF/rails.new/spec/controllers/api_v4/admin/plugin_infos_controller_spec.rb b/...er/webapp/WEB-INF/rails.new/spec/controllers/api_v4/admin/plugin_infos_controller_spec.rb
@@ -32,6 +32,44 @@
 
   end
 
+  describe "security" do
+    describe "show" do
+      it 'should allow anyone, with security disabled' do
+        disable_security
+        expect(controller).to allow_action(:get, :show)
+      end
+
+      it 'should allow non-admin user, with security enabled' do
+        enable_security
+        login_as_user
+        expect(controller).to allow_action(:get, :show, {:id => 'plugin_id'})
+      end
+
+      it 'should allow admin users, with security enabled' do
+        login_as_admin
+        expect(controller).to allow_action(:get, :show)
+      end
+    end
+
+    describe "index" do
+      it 'should allow anyone, with security disabled' do
+        disable_security
+        expect(controller).to allow_action(:get, :index)
+      end
+
+      it 'should allow non-admin user, with security enabled' do
+        enable_security
+        login_as_user
+        expect(controller).to allow_action(:get, :index)
+      end
+
+      it 'should allow admin users, with security enabled' do
+        login_as_admin
+        expect(controller).to allow_action(:get, :index)
+      end
+    end
+  end
+
   describe "index" do
     before(:each) do
       login_as_group_admin
@@ -255,4 +293,4 @@
       end
     end
   end
-end
+end