Merge branch 'security-master-group-cicd-settings-accessible-to-maintainer' into 'master'

[master] Group Ex-Maintainer Could maintain Access to Project's Source Code/Jobs/Pipelines/Artifacts if it had Shared Group Runner Configured See merge request gitlab/gitlabhq!2721

Merge branch 'security-master-group-cicd-settings-accessible-to-maintainer' into 'master'
[master] Group Ex-Maintainer Could maintain Access to Project's Source Code/Jobs/Pipelines/Artifacts if it had Shared Group Runner Configured See merge request gitlab/gitlabhq!2721
082a6567 · John Jarvis · 5d550fa5 · e264677b · 082a6567 · 082a6567
Commit 082a6567 authored Jan 01, 2019 by John Jarvis
5 changed files
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -4,7 +4,7 @@ module Groups
  module Settings
    class CiCdController < Groups::ApplicationController
      skip_cross_project_access_check :show
-      before_action :authorize_admin_pipeline!
+      before_action :authorize_admin_group!

      def show
        define_ci_variables
@@ -26,8 +26,8 @@ module Groups
          .map { |variable| variable.present(current_user: current_user) }
      end

-      def authorize_admin_pipeline!
-        return render_404 unless can?(current_user, :admin_pipeline, group)
+      def authorize_admin_group!
+        return render_404 unless can?(current_user, :admin_group, group)
      end
    end
  end

--- a/changelogs/unreleased/security-master-group-cicd-settings-accessible-to-maintainer.yml
+++ b/changelogs/unreleased/security-master-group-cicd-settings-accessible-to-maintainer.yml
+---
+title: Allow changing group CI/CD settings only for owners.
+merge_request:
+author:
+type: security
--- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb
+++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb
@@ -5,11 +5,15 @@ describe Groups::Settings::CiCdController do
  let(:user) { create(:user) }

  before do
-    group.add_maintainer(user)
    sign_in(user)
  end

  describe 'GET #show' do
+    context 'when user is owner' do
+      before do
+        group.add_owner(user)
+      end
+
      it 'renders show with 200 status code' do
        get :show, params: { group_id: group }

@@ -18,9 +22,27 @@ describe Groups::Settings::CiCdController do
      end
    end

+    context 'when user is not owner' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'renders a 404' do
+        get :show, params: { group_id: group }
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+
  describe 'PUT #reset_registration_token' do
    subject { put :reset_registration_token, params: { group_id: group } }

+    context 'when user is owner' do
+      before do
+        group.add_owner(user)
+      end
+
      it 'resets runner registration token' do
        expect { subject }.to change { group.reload.runners_token }
      end
@@ -31,4 +53,17 @@ describe Groups::Settings::CiCdController do
        expect(response).to redirect_to(group_settings_ci_cd_path)
      end
    end
+
+    context 'when user is not owner' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'renders a 404' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
 end
--- a/spec/features/group_variables_spec.rb
+++ b/spec/features/group_variables_spec.rb
@@ -7,7 +7,7 @@ describe 'Group variables', :js do
  let(:page_path) { group_settings_ci_cd_path(group) }

  before do
-    group.add_maintainer(user)
+    group.add_owner(user)
    gitlab_sign_in(user)

    visit page_path

--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -259,8 +259,9 @@ describe 'Runners' do

  context 'group runners in group settings' do
    let(:group) { create(:group) }
+
    before do
-      group.add_maintainer(user)
+      group.add_owner(user)
    end

    context 'group with no runners' do