Commit 9d9591f4 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-2798-fix-boards-policy' into 'master'

Disable issue board policies when issues are disabled

Closes #2798

See merge request gitlab/gitlabhq!2894
parents 9803962d 5dc047dc
...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy ...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue)) prevent(*create_read_update_admin_destroy(:issue))
prevent(*create_read_update_admin_destroy(:board))
prevent(*create_read_update_admin_destroy(:list))
end end
rule { merge_requests_disabled | repository_disabled }.policy do rule { merge_requests_disabled | repository_disabled }.policy do
......
---
title: Disable issue boards API when issues are disabled
merge_request:
author:
type: security
...@@ -130,22 +130,26 @@ describe ProjectPolicy do ...@@ -130,22 +130,26 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
context 'when the feature is disabled' do context 'when the feature is disabled' do
it 'does not include the issues permissions' do before do
project.issues_enabled = false project.issues_enabled = false
project.save! project.save!
end
it 'does not include the issues permissions' do
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end end
end
context 'when the feature is disabled and external tracker configured' do it 'disables boards and lists permissions' do
it 'does not include the issues permissions' do expect_disallowed :read_board, :create_board, :update_board, :admin_board
create(:jira_service, project: project) expect_disallowed :read_list, :create_list, :update_list, :admin_list
end
project.issues_enabled = false context 'when external tracker configured' do
project.save! it 'does not include the issues permissions' do
create(:jira_service, project: project)
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment