Fix milestone promotion authorization

Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones.

Fix milestone promotion authorization
Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones.
6dcfae54 · Felipe Artur · bc72b2f1 · 6dcfae54 · 6dcfae54 · 6dcfae54
Commit 6dcfae54 authored Nov 09, 2018 by Felipe Artur
6 changed files
--- a/app/controllers/projects/milestones_controller.rb
+++ b/app/controllers/projects/milestones_controller.rb
@@ -11,7 +11,10 @@ class Projects::MilestonesController < Projects::ApplicationController
  before_action :authorize_read_milestone!
  # Allow admin milestone
-  before_action :authorize_admin_milestone!, except: [:index, :show, :merge_requests, :participants, :labels, :promote]
+  before_action :authorize_admin_milestone!, except: [:index, :show, :merge_requests, :participants, :labels]
+  # Allow to promote milestone
+  before_action :authorize_promote_milestone!, only: :promote
  respond_to :html
@@ -78,7 +81,7 @@ class Projects::MilestonesController < Projects::ApplicationController
  def promote
    promoted_milestone = Milestones::PromoteService.new(project, current_user).execute(milestone)
-    flash[:notice] = flash_notice_for(promoted_milestone, project.group)
+    flash[:notice] = flash_notice_for(promoted_milestone, project_group)
    respond_to do |format|
      format.html do
@@ -109,6 +112,12 @@ class Projects::MilestonesController < Projects::ApplicationController
  protected
+  def project_group
+    strong_memoize(:project_group) do
+      project.group
+    end
+  end
  def milestones
    strong_memoize(:milestones) do
      MilestonesFinder.new(search_params).execute
@@ -125,13 +134,17 @@ class Projects::MilestonesController < Projects::ApplicationController
    return render_404 unless can?(current_user, :admin_milestone, @project)
  end
+  def authorize_promote_milestone!
+    return render_404 unless can?(current_user, :admin_milestone, project_group)
+  end
  def milestone_params
    params.require(:milestone).permit(:title, :description, :start_date, :due_date, :state_event)
  end
  def search_params
-    if request.format.json? && @project.group && can?(current_user, :read_group, @project.group)
+    if request.format.json? && project_group && can?(current_user, :read_group, project_group)
-      groups = @project.group.self_and_ancestors_ids
+      groups = project_group.self_and_ancestors_ids
    end
    params.permit(:state).merge(project_ids: @project.id, group_ids: groups)

--- a/app/helpers/milestones_helper.rb
+++ b/app/helpers/milestones_helper.rb
@@ -2,6 +2,7 @@
 module MilestonesHelper
  include EntityDateHelper
+  include Gitlab::Utils::StrongMemoize
  def milestones_filter_path(opts = {})
    if @project
@@ -243,4 +244,16 @@ module MilestonesHelper
      dashboard_milestone_path(milestone.safe_title, title: milestone.title)
    end
  end
+  def can_admin_project_milestones?
+    strong_memoize(:can_admin_project_milestones) do
+      can?(current_user, :admin_milestone, @project)
+    end
+  end
+  def can_admin_group_milestones?
+    strong_memoize(:can_admin_group_milestones) do
+      can?(current_user, :admin_milestone, @project.group)
+    end
+  end
 end
--- a/app/views/shared/milestones/_milestone.html.haml
+++ b/app/views/shared/milestones/_milestone.html.haml
@@ -35,8 +35,8 @@
    .col-sm-2
      .milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end
        - if @project
-          - if can?(current_user, :admin_milestone, milestone.project) and milestone.active?
+          - if can_admin_project_milestones? and milestone.active?
-            - if @project.group
+            - if can_admin_group_milestones?
              %button.js-promote-project-milestone-button.btn.btn-blank.btn-sm.btn-grouped.has-tooltip{ title: _('Promote to Group Milestone'),
                disabled: true,
                type: 'button',

--- a/changelogs/unreleased/security-issue_51301.yml
+++ b/changelogs/unreleased/security-issue_51301.yml
+---
+title: Fix milestone promotion authorization check
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -143,11 +143,27 @@ describe Projects::MilestonesController do
  end
  describe '#promote' do
+    let(:group) { create(:group) }
+    before do
+      project.update(namespace: group)
+    end
+    context 'when user does not have permission to promote milestone' do
+      before do
+        group.add_guest(user)
+      end
+      it 'renders 404' do
+        post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
    context 'promotion succeeds' do
      before do
-        group = create(:group)
        group.add_developer(user)
-        milestone.project.update(namespace: group)
      end
      it 'shows group milestone' do
@@ -166,12 +182,17 @@ describe Projects::MilestonesController do
      end
    end
-    context 'promotion fails' do
+    context 'when user cannot admin group milestones' do
-      it 'shows project milestone' do
+      before do
+        project.add_developer(user)
+      end
+      it 'renders 404' do
+        project.update(namespace: user.namespace)
        post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid
-        expect(response).to redirect_to(project_milestone_path(project, milestone))
+        expect(response).to have_gitlab_http_status(404)
-        expect(flash[:alert]).to eq('Promotion failed - Project does not belong to a group.')
      end
    end
  end

--- a/spec/features/milestones/user_promotes_milestone_spec.rb
+++ b/spec/features/milestones/user_promotes_milestone_spec.rb
+require 'rails_helper'
+describe 'User promotes milestone' do
+  set(:group) { create(:group) }
+  set(:user) { create(:user) }
+  set(:project) { create(:project, namespace: group) }
+  set(:milestone) { create(:milestone, project: project) }
+  context 'when user can admin group milestones' do
+    before do
+      group.add_developer(user)
+      sign_in(user)
+      visit(project_milestones_path(project))
+    end
+    it "shows milestone promote button" do
+      expect(page).to have_selector('.js-promote-project-milestone-button')
+    end
+  end
+  context 'when user cannot admin group milestones' do
+    before do
+      project.add_developer(user)
+      sign_in(user)
+      visit(project_milestones_path(project))
+    end
+    it "does not show milestone promote button" do
+      expect(page).not_to have_selector('.js-promote-project-milestone-button')
+    end
+  end
+end