Commit 9a3df9d5 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'ci-runners-master-or-owner' into 'master'

Show specific runners from projects where user is master or owner

This fix for permission escalation when handling specific runners.

The users were allowed to assign runners from projects where they were guests.


See merge request !1809
parents 1328e4b5 03f5ff75
...@@ -35,6 +35,7 @@ v 8.2.0 (unreleased) ...@@ -35,6 +35,7 @@ v 8.2.0 (unreleased)
- New design for project graphs page - New design for project graphs page
- Remove deprecated dumped yaml file generated from previous job definitions - Remove deprecated dumped yaml file generated from previous job definitions
- Fix incoming email config defaults - Fix incoming email config defaults
- Show specific runners from projects where user is master or owner
- MR target branch is now visible on a list view when it is different from project's default one - MR target branch is now visible on a list view when it is different from project's default one
- Improve Continuous Integration graphs page - Improve Continuous Integration graphs page
- Make color of "Accept Merge Request" button consistent with current build status - Make color of "Accept Merge Request" button consistent with current build status
......
...@@ -405,6 +405,15 @@ class User < ActiveRecord::Base ...@@ -405,6 +405,15 @@ class User < ActiveRecord::Base
end end
end end
def master_or_owner_projects_id
@master_or_owner_projects_id ||= begin
scope = { access_level: [ Gitlab::Access::MASTER, Gitlab::Access::OWNER ] }
project_ids = personal_projects.pluck(:id)
project_ids.push(*groups_projects.where(members: scope).pluck(:id))
project_ids.push(*projects.where(members: scope).pluck(:id).uniq)
end
end
# Projects user has access to # Projects user has access to
def authorized_projects def authorized_projects
@authorized_projects ||= Project.where(id: authorized_projects_id) @authorized_projects ||= Project.where(id: authorized_projects_id)
...@@ -765,14 +774,10 @@ class User < ActiveRecord::Base ...@@ -765,14 +774,10 @@ class User < ActiveRecord::Base
!solo_owned_groups.present? !solo_owned_groups.present?
end end
def ci_authorized_projects
@ci_authorized_projects ||= Ci::Project.where(gitlab_id: authorized_projects_id)
end
def ci_authorized_runners def ci_authorized_runners
@ci_authorized_runners ||= begin @ci_authorized_runners ||= begin
runner_ids = Ci::RunnerProject.joins(:project). runner_ids = Ci::RunnerProject.joins(:project).
where(ci_projects: { gitlab_id: authorized_projects_id }).select(:runner_id) where(ci_projects: { gitlab_id: master_or_owner_projects_id }).select(:runner_id)
Ci::Runner.specific.where(id: runner_ids) Ci::Runner.specific.where(id: runner_ids)
end end
end end
......
...@@ -14,15 +14,25 @@ describe "Runners" do ...@@ -14,15 +14,25 @@ describe "Runners" do
@project2 = FactoryGirl.create :ci_project @project2 = FactoryGirl.create :ci_project
@project2.gl_project.team << [user, :master] @project2.gl_project.team << [user, :master]
@project3 = FactoryGirl.create :ci_project
@project3.gl_project.team << [user, :developer]
@shared_runner = FactoryGirl.create :ci_shared_runner @shared_runner = FactoryGirl.create :ci_shared_runner
@specific_runner = FactoryGirl.create :ci_specific_runner @specific_runner = FactoryGirl.create :ci_specific_runner
@specific_runner2 = FactoryGirl.create :ci_specific_runner @specific_runner2 = FactoryGirl.create :ci_specific_runner
@specific_runner3 = FactoryGirl.create :ci_specific_runner
@project.runners << @specific_runner @project.runners << @specific_runner
@project2.runners << @specific_runner2 @project2.runners << @specific_runner2
@project3.runners << @specific_runner3
visit runners_path(@project.gl_project) visit runners_path(@project.gl_project)
end end
before do
expect(page).to_not have_content(@specific_runner3.display_name)
expect(page).to_not have_content(@specific_runner3.display_name)
end
it "places runners in right places" do it "places runners in right places" do
expect(page.find(".available-specific-runners")).to have_content(@specific_runner2.display_name) expect(page.find(".available-specific-runners")).to have_content(@specific_runner2.display_name)
expect(page.find(".activated-specific-runners")).to have_content(@specific_runner.display_name) expect(page.find(".activated-specific-runners")).to have_content(@specific_runner.display_name)
...@@ -76,10 +86,10 @@ describe "Runners" do ...@@ -76,10 +86,10 @@ describe "Runners" do
@project.gl_project.team << [user, :master] @project.gl_project.team << [user, :master]
@specific_runner = FactoryGirl.create :ci_specific_runner @specific_runner = FactoryGirl.create :ci_specific_runner
@project.runners << @specific_runner @project.runners << @specific_runner
visit runners_path(@project.gl_project)
end end
it "shows runner information" do it "shows runner information" do
visit runners_path(@project.gl_project)
click_on @specific_runner.short_sha click_on @specific_runner.short_sha
expect(page).to have_content(@specific_runner.platform) expect(page).to have_content(@specific_runner.platform)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment