Builds: healthcheck permissions (#12423)

humitos · web-flow · commit 8a089a3a0ccd · 2025-08-21T14:49:46.000+02:00
We want to skip the default permsissions check here (done at
`get_queryset()` method) because it filters the object by build API key
and/or user access.

Since we are making an anonymous request without a build API key, we
need to skip this check and base it only on the `?builder=` GET
attribute.
diff --git a/readthedocs/api/v2/views/model_views.py b/readthedocs/api/v2/views/model_views.py
@@ -304,6 +304,9 @@ def concurrent(self, request, **kwargs):
         # We make this endpoint public because we don't want to expose the build API key inside the user's container.
         # To emulate "auth" we check for the builder hostname to match the `Build.builder` defined in the database.
         permission_classes=[],
+        # We can't use the default `get_queryset()` method because it's filtered by build API key and/or user access.
+        # Since we don't want to check for permissions here we need to use a custom queryset here.
+        get_queryset=lambda: Build.objects.all(),
         methods=["post"],
     )
     def healthcheck(self, request, **kwargs):
diff --git a/readthedocs/rtd_tests/tests/test_api.py b/readthedocs/rtd_tests/tests/test_api.py
@@ -101,6 +101,49 @@ def setUp(self):
         self.project = get(Project, users=[self.user])
         self.version = self.project.versions.get(slug=LATEST)
 
+    def test_healthcheck(self):
+        # Build cloning state
+        build = get(
+            Build,
+            project=self.project,
+            version=self.version,
+            state=BUILD_STATE_CLONING,
+            builder="build-a1b2c3",
+            success=False,
+        )
+        self.assertIsNone(build.healthcheck)
+
+        client = APIClient()
+        r = client.post(reverse("build-healthcheck", args=(build.pk,), query={"builder": "build-a1b2c3"}))
+        build.refresh_from_db()
+
+        self.assertEqual(r.status_code, 204)
+        self.assertIsNotNone(build.healthcheck)
+
+        # Build invalid builder
+        build.healthcheck = None
+        build.save()
+
+        client = APIClient()
+        r = client.post(reverse("build-healthcheck", args=(build.pk,), query={"builder": "build-invalid"}))
+        build.refresh_from_db()
+
+        self.assertEqual(r.status_code, 404)
+        self.assertIsNone(build.healthcheck)
+
+        # Build finished state
+        build.state = BUILD_STATE_FINISHED
+        build.healthcheck = None
+        build.save()
+
+        client = APIClient()
+        r = client.post(reverse("build-healthcheck", args=(build.pk,), query={"builder": "build-a1b2c3"}))
+        build.refresh_from_db()
+
+        self.assertEqual(r.status_code, 404)
+        self.assertIsNone(build.healthcheck)
+
+
     def test_reset_build(self):
         build = get(
             Build,
