Commit bf5743b0 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch...

Merge branch 'security-2873-restrict-slash-commands-to-users-who-can-log-in-11-11' into '11-11-stable'

Restrict slash commands to users who can log in

See merge request gitlab/gitlabhq!3239
parents 79501ebe 1a0528f4
......@@ -35,6 +35,8 @@ class SlashCommandsService < Service
chat_user = find_chat_user(params)
if chat_user&.user
return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
else
url = authorize_chat_name_url(params)
......
......@@ -37,6 +37,7 @@ class GlobalPolicy < BasePolicy
enable :access_git
enable :receive_notifications
enable :use_quick_actions
enable :use_slash_commands
end
rule { blocked | internal }.policy do
......@@ -44,6 +45,7 @@ class GlobalPolicy < BasePolicy
prevent :access_api
prevent :access_git
prevent :receive_notifications
prevent :use_slash_commands
end
rule { required_terms_not_accepted }.policy do
......@@ -61,6 +63,7 @@ class GlobalPolicy < BasePolicy
rule { access_locked }.policy do
prevent :log_in
prevent :use_slash_commands
end
rule { ~(anonymous & restricted_public_level) }.policy do
......
---
title: Restrict slash commands to users who can log in
merge_request:
author:
type: security
......@@ -226,4 +226,32 @@ describe GlobalPolicy do
it { is_expected.not_to be_allowed(:read_instance_statistics) }
end
end
describe 'slash commands' do
context 'regular user' do
it { is_expected.to be_allowed(:use_slash_commands) }
end
context 'when internal' do
let(:current_user) { User.ghost }
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when blocked' do
before do
current_user.block
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when access locked' do
before do
current_user.lock_access!
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
end
end
......@@ -91,6 +91,19 @@ RSpec.shared_examples 'chat slash commands service' do
subject.trigger(params)
end
context 'when user is blocked' do
before do
chat_name.user.block
end
it 'blocks command execution' do
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
result = subject.trigger(params)
expect(result).to include(text: /^Whoops! This action is not allowed/)
end
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment