Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
3a321c80
Commit
3a321c80
authored
Feb 11, 2019
by
Małgorzata Ksionek
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Secure vulerability and add specs
parent
d40a3809
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
69 additions
and
11 deletions
+69
-11
app/policies/group_policy.rb
app/policies/group_policy.rb
+0
-1
changelogs/unreleased/security-shared-project-private-group.yml
...logs/unreleased/security-shared-project-private-group.yml
+5
-0
spec/controllers/projects/group_links_controller_spec.rb
spec/controllers/projects/group_links_controller_spec.rb
+2
-0
spec/features/security/group/private_access_spec.rb
spec/features/security/group/private_access_spec.rb
+28
-4
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+34
-6
No files found.
app/policies/group_policy.rb
View file @
3a321c80
...
@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
...
@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
rule
{
admin
}.
enable
:read_group
rule
{
admin
}.
enable
:read_group
rule
{
has_projects
}.
policy
do
rule
{
has_projects
}.
policy
do
enable
:read_group
enable
:read_label
enable
:read_label
end
end
...
...
changelogs/unreleased/security-shared-project-private-group.yml
0 → 100644
View file @
3a321c80
---
title
:
Fixed ability to see private groups by users not belonging to given group
merge_request
:
author
:
type
:
security
spec/controllers/projects/group_links_controller_spec.rb
View file @
3a321c80
...
@@ -67,6 +67,8 @@ describe Projects::GroupLinksController do
...
@@ -67,6 +67,8 @@ describe Projects::GroupLinksController do
context
'when project group id equal link group id'
do
context
'when project group id equal link group id'
do
before
do
before
do
group2
.
add_developer
(
user
)
post
(
:create
,
params:
{
post
(
:create
,
params:
{
namespace_id:
project
.
namespace
,
namespace_id:
project
.
namespace
,
project_id:
project
,
project_id:
project
,
...
...
spec/features/security/group/private_access_spec.rb
View file @
3a321c80
...
@@ -27,7 +27,7 @@ describe 'Private Group access' do
...
@@ -27,7 +27,7 @@ describe 'Private Group access' do
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -42,7 +42,7 @@ describe 'Private Group access' do
...
@@ -42,7 +42,7 @@ describe 'Private Group access' do
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -58,7 +58,7 @@ describe 'Private Group access' do
...
@@ -58,7 +58,7 @@ describe 'Private Group access' do
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -73,7 +73,7 @@ describe 'Private Group access' do
...
@@ -73,7 +73,7 @@ describe 'Private Group access' do
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -93,4 +93,28 @@ describe 'Private Group access' do
...
@@ -93,4 +93,28 @@ describe 'Private Group access' do
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
end
end
describe
'GET /groups/:path for shared projects'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
create
(
:user
),
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
subject
{
group_path
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
end
end
end
spec/policies/group_policy_spec.rb
View file @
3a321c80
...
@@ -74,6 +74,38 @@ describe GroupPolicy do
...
@@ -74,6 +74,38 @@ describe GroupPolicy do
end
end
end
end
context
'with no user and public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
nil
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
user
,
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
it
{
expect_disallowed
(
:read_group
)
}
end
context
'with foreign user and public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
user
,
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
it
{
expect_disallowed
(
:read_group
)
}
end
context
'has projects'
do
context
'has projects'
do
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
...
@@ -82,17 +114,13 @@ describe GroupPolicy do
...
@@ -82,17 +114,13 @@ describe GroupPolicy do
project
.
add_developer
(
current_user
)
project
.
add_developer
(
current_user
)
end
end
it
do
it
{
expect_allowed
(
:read_label
)
}
expect_allowed
(
:read_group
,
:read_label
)
end
context
'in subgroups'
,
:nested_groups
do
context
'in subgroups'
,
:nested_groups
do
let
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
subgroup
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
subgroup
)
}
it
do
it
{
expect_allowed
(
:read_label
)
}
expect_allowed
(
:read_group
,
:read_label
)
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment