Merge branch 'sh-guard-against-orphaned-project-feature' into 'master'

Guard against deleted project feature entry Closes #66482 See merge request gitlab-org/gitlab-ce!32187
2019-08-26 22:40:42 +00:00 · 2019-08-26 22:40:42 +00:00 · 452b5d605c
parent 0f8058bc58 6fa5f510e8
commit 452b5d605c
3 changed files with 20 additions and 0 deletions
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@ -502,6 +502,8 @@ class ProjectPolicy < BasePolicy
  end

  def feature_available?(feature)
+    return false unless project.project_feature
+
    case project.project_feature.access_level(feature)
    when ProjectFeature::DISABLED
      false
--- a/changelogs/unreleased/sh-guard-against-orphaned-project-feature.yml
+++ b/changelogs/unreleased/sh-guard-against-orphaned-project-feature.yml
@ -0,0 +1,5 @@
+---
+title: Guard against deleted project feature entry in project permissions
+merge_request: 32187
+author:
+type: fixed
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@ -94,6 +94,19 @@ describe ProjectPolicy do
    permissions.each { |p| is_expected.not_to be_allowed(p) }
  end

+  context 'with no project feature' do
+    subject { described_class.new(owner, project) }
+
+    before do
+      project.project_feature.destroy
+      project.reload
+    end
+
+    it 'returns false' do
+      is_expected.to be_disallowed(:read_build)
+    end
+  end
+
  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
    project = create(:project, :private)
    issue   = create(:issue, project: project, author: create(:user))