Restrict slash commands to users who can log in
This commit is contained in:
parent
627d2b7fa4
commit
7b52cff489
|
@ -35,6 +35,8 @@ class SlashCommandsService < Service
|
|||
chat_user = find_chat_user(params)
|
||||
|
||||
if chat_user&.user
|
||||
return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
|
||||
|
||||
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
|
||||
else
|
||||
url = authorize_chat_name_url(params)
|
||||
|
|
|
@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
|
|||
enable :access_git
|
||||
enable :receive_notifications
|
||||
enable :use_quick_actions
|
||||
enable :use_slash_commands
|
||||
end
|
||||
|
||||
rule { blocked | internal }.policy do
|
||||
|
@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
|
|||
prevent :access_api
|
||||
prevent :access_git
|
||||
prevent :receive_notifications
|
||||
prevent :use_slash_commands
|
||||
end
|
||||
|
||||
rule { required_terms_not_accepted }.policy do
|
||||
|
@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
|
|||
|
||||
rule { access_locked }.policy do
|
||||
prevent :log_in
|
||||
prevent :use_slash_commands
|
||||
end
|
||||
|
||||
rule { ~(anonymous & restricted_public_level) }.policy do
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Restrict slash commands to users who can log in
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -226,4 +226,32 @@ describe GlobalPolicy do
|
|||
it { is_expected.not_to be_allowed(:read_instance_statistics) }
|
||||
end
|
||||
end
|
||||
|
||||
describe 'slash commands' do
|
||||
context 'regular user' do
|
||||
it { is_expected.to be_allowed(:use_slash_commands) }
|
||||
end
|
||||
|
||||
context 'when internal' do
|
||||
let(:current_user) { User.ghost }
|
||||
|
||||
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||
end
|
||||
|
||||
context 'when blocked' do
|
||||
before do
|
||||
current_user.block
|
||||
end
|
||||
|
||||
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||
end
|
||||
|
||||
context 'when access locked' do
|
||||
before do
|
||||
current_user.lock_access!
|
||||
end
|
||||
|
||||
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -91,6 +91,19 @@ RSpec.shared_examples 'chat slash commands service' do
|
|||
|
||||
subject.trigger(params)
|
||||
end
|
||||
|
||||
context 'when user is blocked' do
|
||||
before do
|
||||
chat_name.user.block
|
||||
end
|
||||
|
||||
it 'blocks command execution' do
|
||||
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
|
||||
|
||||
result = subject.trigger(params)
|
||||
expect(result).to include(text: /^Whoops! This action is not allowed/)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue