Secure vulerability and add specs
This commit is contained in:
Małgorzata Ksionek
parent
d40a3809fd
commit
3a321c8003
5 changed files with 69 additions and 11 deletions
|
|
@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
|
|||
rule { admin }.enable :read_group
|
||||
|
||||
rule { has_projects }.policy do
|
||||
enable :read_group
|
||||
enable :read_label
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Fixed ability to see private groups by users not belonging to given group
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
||||
|
|
@ -67,6 +67,8 @@ describe Projects::GroupLinksController do
|
|||
|
||||
context 'when project group id equal link group id' do
|
||||
before do
|
||||
group2.add_developer(user)
|
||||
|
||||
post(:create, params: {
|
||||
namespace_id: project.namespace,
|
||||
project_id: project,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ describe 'Private Group access' do
|
|||
it { is_expected.to be_allowed_for(:developer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:reporter).of(group) }
|
||||
it { is_expected.to be_allowed_for(:guest).of(group) }
|
||||
it { is_expected.to be_allowed_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(:user) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
it { is_expected.to be_denied_for(:visitor) }
|
||||
|
|
@ -42,7 +42,7 @@ describe 'Private Group access' do
|
|||
it { is_expected.to be_allowed_for(:developer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:reporter).of(group) }
|
||||
it { is_expected.to be_allowed_for(:guest).of(group) }
|
||||
it { is_expected.to be_allowed_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(:user) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
it { is_expected.to be_denied_for(:visitor) }
|
||||
|
|
@ -58,7 +58,7 @@ describe 'Private Group access' do
|
|||
it { is_expected.to be_allowed_for(:developer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:reporter).of(group) }
|
||||
it { is_expected.to be_allowed_for(:guest).of(group) }
|
||||
it { is_expected.to be_allowed_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(:user) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
it { is_expected.to be_denied_for(:visitor) }
|
||||
|
|
@ -73,7 +73,7 @@ describe 'Private Group access' do
|
|||
it { is_expected.to be_allowed_for(:developer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:reporter).of(group) }
|
||||
it { is_expected.to be_allowed_for(:guest).of(group) }
|
||||
it { is_expected.to be_allowed_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(:user) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
it { is_expected.to be_denied_for(:visitor) }
|
||||
|
|
@ -93,4 +93,28 @@ describe 'Private Group access' do
|
|||
it { is_expected.to be_denied_for(:visitor) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
end
|
||||
|
||||
describe 'GET /groups/:path for shared projects' do
|
||||
let(:project) { create(:project, :public) }
|
||||
before do
|
||||
Projects::GroupLinks::CreateService.new(
|
||||
project,
|
||||
create(:user),
|
||||
link_group_access: ProjectGroupLink::DEVELOPER
|
||||
).execute(group)
|
||||
end
|
||||
|
||||
subject { group_path(group) }
|
||||
|
||||
it { is_expected.to be_allowed_for(:admin) }
|
||||
it { is_expected.to be_allowed_for(:owner).of(group) }
|
||||
it { is_expected.to be_allowed_for(:maintainer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:developer).of(group) }
|
||||
it { is_expected.to be_allowed_for(:reporter).of(group) }
|
||||
it { is_expected.to be_allowed_for(:guest).of(group) }
|
||||
it { is_expected.to be_denied_for(project_guest) }
|
||||
it { is_expected.to be_denied_for(:user) }
|
||||
it { is_expected.to be_denied_for(:external) }
|
||||
it { is_expected.to be_denied_for(:visitor) }
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -74,6 +74,38 @@ describe GroupPolicy do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with no user and public project' do
|
||||
let(:project) { create(:project, :public) }
|
||||
let(:user) { create(:user) }
|
||||
let(:current_user) { nil }
|
||||
|
||||
before do
|
||||
Projects::GroupLinks::CreateService.new(
|
||||
project,
|
||||
user,
|
||||
link_group_access: ProjectGroupLink::DEVELOPER
|
||||
).execute(group)
|
||||
end
|
||||
|
||||
it { expect_disallowed(:read_group) }
|
||||
end
|
||||
|
||||
context 'with foreign user and public project' do
|
||||
let(:project) { create(:project, :public) }
|
||||
let(:user) { create(:user) }
|
||||
let(:current_user) { create(:user) }
|
||||
|
||||
before do
|
||||
Projects::GroupLinks::CreateService.new(
|
||||
project,
|
||||
user,
|
||||
link_group_access: ProjectGroupLink::DEVELOPER
|
||||
).execute(group)
|
||||
end
|
||||
|
||||
it { expect_disallowed(:read_group) }
|
||||
end
|
||||
|
||||
context 'has projects' do
|
||||
let(:current_user) { create(:user) }
|
||||
let(:project) { create(:project, namespace: group) }
|
||||
|
|
@ -82,17 +114,13 @@ describe GroupPolicy do
|
|||
project.add_developer(current_user)
|
||||
end
|
||||
|
||||
it do
|
||||
expect_allowed(:read_group, :read_label)
|
||||
end
|
||||
it { expect_allowed(:read_label) }
|
||||
|
||||
context 'in subgroups', :nested_groups do
|
||||
let(:subgroup) { create(:group, :private, parent: group) }
|
||||
let(:project) { create(:project, namespace: subgroup) }
|
||||
|
||||
it do
|
||||
expect_allowed(:read_group, :read_label)
|
||||
end
|
||||
it { expect_allowed(:read_label) }
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue