Restrict slash commands to users who can log in
This commit is contained in:
parent
627d2b7fa4
commit
7b52cff489
|
@ -35,6 +35,8 @@ class SlashCommandsService < Service
|
||||||
chat_user = find_chat_user(params)
|
chat_user = find_chat_user(params)
|
||||||
|
|
||||||
if chat_user&.user
|
if chat_user&.user
|
||||||
|
return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
|
||||||
|
|
||||||
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
|
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
|
||||||
else
|
else
|
||||||
url = authorize_chat_name_url(params)
|
url = authorize_chat_name_url(params)
|
||||||
|
|
|
@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
|
||||||
enable :access_git
|
enable :access_git
|
||||||
enable :receive_notifications
|
enable :receive_notifications
|
||||||
enable :use_quick_actions
|
enable :use_quick_actions
|
||||||
|
enable :use_slash_commands
|
||||||
end
|
end
|
||||||
|
|
||||||
rule { blocked | internal }.policy do
|
rule { blocked | internal }.policy do
|
||||||
|
@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
|
||||||
prevent :access_api
|
prevent :access_api
|
||||||
prevent :access_git
|
prevent :access_git
|
||||||
prevent :receive_notifications
|
prevent :receive_notifications
|
||||||
|
prevent :use_slash_commands
|
||||||
end
|
end
|
||||||
|
|
||||||
rule { required_terms_not_accepted }.policy do
|
rule { required_terms_not_accepted }.policy do
|
||||||
|
@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
|
||||||
|
|
||||||
rule { access_locked }.policy do
|
rule { access_locked }.policy do
|
||||||
prevent :log_in
|
prevent :log_in
|
||||||
|
prevent :use_slash_commands
|
||||||
end
|
end
|
||||||
|
|
||||||
rule { ~(anonymous & restricted_public_level) }.policy do
|
rule { ~(anonymous & restricted_public_level) }.policy do
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Restrict slash commands to users who can log in
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -226,4 +226,32 @@ describe GlobalPolicy do
|
||||||
it { is_expected.not_to be_allowed(:read_instance_statistics) }
|
it { is_expected.not_to be_allowed(:read_instance_statistics) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'slash commands' do
|
||||||
|
context 'regular user' do
|
||||||
|
it { is_expected.to be_allowed(:use_slash_commands) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when internal' do
|
||||||
|
let(:current_user) { User.ghost }
|
||||||
|
|
||||||
|
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when blocked' do
|
||||||
|
before do
|
||||||
|
current_user.block
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when access locked' do
|
||||||
|
before do
|
||||||
|
current_user.lock_access!
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -91,6 +91,19 @@ RSpec.shared_examples 'chat slash commands service' do
|
||||||
|
|
||||||
subject.trigger(params)
|
subject.trigger(params)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when user is blocked' do
|
||||||
|
before do
|
||||||
|
chat_name.user.block
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'blocks command execution' do
|
||||||
|
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
|
||||||
|
|
||||||
|
result = subject.trigger(params)
|
||||||
|
expect(result).to include(text: /^Whoops! This action is not allowed/)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue