Merge branch 'issue_30663' into 'security-10-2'

Prevent creating issues through API without having permissions See merge request gitlab/gitlabhq!2225 (cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c) 915b97c5 Prevent creating issues through API without having permissions
2017-11-22 17:24:11 +00:00 · 2017-11-22 17:24:11 +00:00 · c59ae54705
parent 8f29d2640f
commit c59ae54705
3 changed files with 21 additions and 0 deletions
--- a/changelogs/unreleased/issue_30663.yml
+++ b/changelogs/unreleased/issue_30663.yml
@ -0,0 +1,5 @@
+---
+title: Prevent creating issues through API when user does not have permissions
+merge_request:
+author:
+type: security
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@ -161,6 +161,8 @@ module API
        use :issue_params
      end
      post ':id/issues' do
+        authorize! :create_issue, user_project
+
        # Setting created_at time only allowed for admins and project owners
        unless current_user.admin? || user_project.owner == current_user
          params.delete(:created_at)
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@ -860,6 +860,20 @@ describe API::Issues, :mailer do
      end
    end

+    context 'user does not have permissions to create issue' do
+      let(:not_member)  { create(:user) }
+
+      before do
+        project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+      end
+
+      it 'renders 403' do
+        post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
    it 'creates a new project issue' do
      post api("/projects/#{project.id}/issues", user),
        title: 'new issue', labels: 'label, label2', weight: 3,