Merge branch 'api-fix-project-group-sharing' into 'security'

API: Share projects only with groups current_user can access Aims to address the issues here: https://gitlab.com/gitlab-org/gitlab-ce/issues/23004 * Projects can be shared with non-existent groups * Projects can be shared with groups that the current user does not have access to read Concerns: The new implementation of the API endpoint allows projects to be shared with a larger range of groups than can be done via the web UI. The form for sharing a project with a group uses the following API endpoint to index the available groups: 494269fc92/lib/api/groups.rb (L17). The groups indexed in the web form will only be those groups that the user is currently a member of. The new implementation allows projects to be shared with any group that the authenticated user has access to view. This widens the range of groups to those that are public and internal. See merge request !2005 Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-10-11 10:20:35 +00:00 · 2016-10-11 10:20:35 +00:00 · 670b2eb5c0
parent b0acc0a308
commit 670b2eb5c0
4 changed files with 22 additions and 2 deletions
--- a/app/models/project_group_link.rb
+++ b/app/models/project_group_link.rb
@ -10,7 +10,7 @@ class ProjectGroupLink < ActiveRecord::Base
  belongs_to :group

  validates :project_id, presence: true
-  validates :group_id, presence: true
+  validates :group, presence: true
  validates :group_id, uniqueness: { scope: [:project_id], message: "already shared with this group" }
  validates :group_access, presence: true
  validates :group_access, inclusion: { in: Gitlab::Access.values }, presence: true
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@ -416,6 +416,12 @@ module API
        required_attributes! [:group_id, :group_access]
        attrs = attributes_for_keys [:group_id, :group_access, :expires_at]

+        group = Group.find_by_id(attrs[:group_id])
+
+        unless group && can?(current_user, :read_group, group)
+          not_found!('Group')
+        end
+
        unless user_project.allowed_to_share_with_group?
          return render_api_error!("The project sharing with group is disabled", 400)
        end
--- a/spec/models/project_group_link_spec.rb
+++ b/spec/models/project_group_link_spec.rb
@ -11,7 +11,7 @@ describe ProjectGroupLink do

    it { should validate_presence_of(:project_id) }
    it { should validate_uniqueness_of(:group_id).scoped_to(:project_id).with_message(/already shared/) }
-    it { should validate_presence_of(:group_id) }
+    it { should validate_presence_of(:group) }
    it { should validate_presence_of(:group_access) }
  end
 end
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@ -819,6 +819,20 @@ describe API::API, api: true  do
      expect(response.status).to eq 400
    end

+    it 'returns a 404 error when user cannot read group' do
+      private_group = create(:group, :private)
+
+      post api("/projects/#{project.id}/share", user), group_id: private_group.id, group_access: Gitlab::Access::DEVELOPER
+
+      expect(response.status).to eq 404
+    end
+
+    it 'returns a 404 error when group does not exist' do
+      post api("/projects/#{project.id}/share", user), group_id: 1234, group_access: Gitlab::Access::DEVELOPER
+
+      expect(response.status).to eq 404
+    end
+
    it "returns a 409 error when wrong params passed" do
      post api("/projects/#{project.id}/share", user), group_id: group.id, group_access: 1234
      expect(response.status).to eq 409