Disallow guest users from accessing Releases
As they do not have a permission to read git tag
This commit is contained in:
Shinya Maeda
parent
61b2f70fdc
commit
bdee9e8412
4 changed files with 46 additions and 3 deletions
|
|
@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy
|
|||
enable :read_cycle_analytics
|
||||
enable :award_emoji
|
||||
enable :read_pages_content
|
||||
enable :read_release
|
||||
end
|
||||
|
||||
# These abilities are not allowed to admins that are not members of the project,
|
||||
|
|
@ -203,6 +202,7 @@ class ProjectPolicy < BasePolicy
|
|||
enable :read_deployment
|
||||
enable :read_merge_request
|
||||
enable :read_sentry_issue
|
||||
enable :read_release
|
||||
end
|
||||
|
||||
# We define `:public_user_access` separately because there are cases in gitlab-ee
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Disallow guest users from accessing Releases
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
||||
|
|
@ -15,7 +15,7 @@ describe ProjectPolicy do
|
|||
read_project_for_iids read_issue_iid read_label
|
||||
read_milestone read_project_snippet read_project_member read_note
|
||||
create_project create_issue create_note upload_file create_merge_request_in
|
||||
award_emoji read_release
|
||||
award_emoji
|
||||
]
|
||||
end
|
||||
|
||||
|
|
@ -24,7 +24,7 @@ describe ProjectPolicy do
|
|||
download_code fork_project create_project_snippet update_issue
|
||||
admin_issue admin_label admin_list read_commit_status read_build
|
||||
read_container_image read_pipeline read_environment read_deployment
|
||||
read_merge_request download_wiki_code read_sentry_issue
|
||||
read_merge_request download_wiki_code read_sentry_issue read_release
|
||||
]
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@ describe API::Releases do
|
|||
let(:project) { create(:project, :repository, :private) }
|
||||
let(:maintainer) { create(:user) }
|
||||
let(:reporter) { create(:user) }
|
||||
let(:guest) { create(:user) }
|
||||
let(:non_project_member) { create(:user) }
|
||||
let(:commit) { create(:commit, project: project) }
|
||||
|
||||
before do
|
||||
project.add_maintainer(maintainer)
|
||||
project.add_reporter(reporter)
|
||||
project.add_guest(guest)
|
||||
|
||||
project.repository.add_tag(maintainer, 'v0.1', commit.id)
|
||||
project.repository.add_tag(maintainer, 'v0.2', commit.id)
|
||||
|
|
@ -66,6 +68,24 @@ describe API::Releases do
|
|||
end
|
||||
end
|
||||
|
||||
context 'when user is a guest' do
|
||||
it 'responds 403 Forbidden' do
|
||||
get api("/projects/#{project.id}/releases", guest)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:forbidden)
|
||||
end
|
||||
|
||||
context 'when project is public' do
|
||||
let(:project) { create(:project, :repository, :public) }
|
||||
|
||||
it 'responds 200 OK' do
|
||||
get api("/projects/#{project.id}/releases", guest)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is not a project member' do
|
||||
it 'cannot find the project' do
|
||||
get api("/projects/#{project.id}/releases", non_project_member)
|
||||
|
|
@ -189,6 +209,24 @@ describe API::Releases do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is a guest' do
|
||||
it 'responds 403 Forbidden' do
|
||||
get api("/projects/#{project.id}/releases/v0.1", guest)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:forbidden)
|
||||
end
|
||||
|
||||
context 'when project is public' do
|
||||
let(:project) { create(:project, :repository, :public) }
|
||||
|
||||
it 'responds 200 OK' do
|
||||
get api("/projects/#{project.id}/releases/v0.1", guest)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when specified tag is not found in the project' do
|
||||
|
|
|
|||
Loading…
Reference in a new issue