Fix NoMethodError when accessing protected environment for job

When checking if a job can be :update_build by a user, this user is then passed all the way to ProtectedEnvironment::DeployAccessLevel. As this user can be nil, we return false if so. Also fixes environment json schema so that it works correctly with oneOf.

Fix NoMethodError when accessing protected environment for job
When checking if a job can be :update_build by a user, this user is then passed all the way to ProtectedEnvironment::DeployAccessLevel. As this user can be nil, we return false if so. Also fixes environment json schema so that it works correctly with oneOf.
08429f67 · Thong Kuah · 3934a31b · 08429f67 · 08429f67 · 08429f67
Commit 08429f67 authored Oct 05, 2020 by Thong Kuah
5 changed files
--- a/ee/app/models/protected_environment/deploy_access_level.rb
+++ b/ee/app/models/protected_environment/deploy_access_level.rb
@@ -21,6 +21,7 @@ class ProtectedEnvironment::DeployAccessLevel < ApplicationRecord
  delegate :project, to: :protected_environment

  def check_access(user)
+    return false unless user
    return true if user.admin?
    return user.id == user_id if user_type?
    return group.users.exists?(user.id) if group_type?

--- a/ee/changelogs/unreleased/fix_user_nil_on_deploy_access_level.yml
+++ b/ee/changelogs/unreleased/fix_user_nil_on_deploy_access_level.yml
+---
+title: Fix NoMethodError when accessing protected environment for job
+merge_request: 44257
+author:
+type: fixed
--- a/ee/spec/controllers/ee/projects/jobs_controller_spec.rb
+++ b/ee/spec/controllers/ee/projects/jobs_controller_spec.rb
@@ -74,16 +74,45 @@ RSpec.describe Projects::JobsController do

        before do
          stub_application_setting(shared_runners_minutes: 2)
-
-          get_show(id: job.id, format: :json)
        end

        it 'exposes quota information' do
+          get_show(id: job.id, format: :json)
+
          expect(response).to have_gitlab_http_status(:ok)
          expect(response).to match_response_schema('job/job_details', dir: 'ee')
          expect(json_response['runners']['quota']['used']).to eq 0
          expect(json_response['runners']['quota']['limit']).to eq 2
        end
+
+        context 'the environment is protected' do
+          before do
+            stub_licensed_features(protected_environments: true)
+            create(:protected_environment, project: project)
+          end
+
+          let(:job) { create(:ci_build, :deploy_to_production, :with_deployment, :success, pipeline: pipeline, runner: runner) }
+
+          it 'renders successfully' do
+            get_show(id: job.id, format: :json)
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response).to match_response_schema('job/job_details', dir: 'ee')
+          end
+
+          context 'anonymous user' do
+            before do
+              sign_out(user)
+            end
+
+            it 'renders successfully' do
+              get_show(id: job.id, format: :json)
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to match_response_schema('job/job_details', dir: 'ee')
+            end
+          end
+        end
      end
    end


--- a/ee/spec/models/protected_environment/deploy_access_level_spec.rb
+++ b/ee/spec/models/protected_environment/deploy_access_level_spec.rb
@@ -20,8 +20,15 @@ RSpec.describe ProtectedEnvironment::DeployAccessLevel do
  describe '#check_access' do
    subject { deploy_access_level.check_access(user) }

+    context 'anonymous access' do
+      let(:user) { nil }
+      let(:deploy_access_level) { create(:protected_environment_deploy_access_level, protected_environment: protected_environment) }
+
+      it { is_expected.to be_falsy }
+    end
+
    describe 'admin access' do
-      let(:user) { create(:user, :admin) }
+      let_it_be(:user) { create(:user, :admin) }

      context 'when admin user does have specific access' do
        let(:deploy_access_level) { create(:protected_environment_deploy_access_level, protected_environment: protected_environment, user: user) }
@@ -51,7 +58,7 @@ RSpec.describe ProtectedEnvironment::DeployAccessLevel do
    end

    describe 'group access' do
-      let(:group) { create(:group, projects: [project]) }
+      let_it_be(:group) { create(:group, projects: [project]) }

      context 'when specific access has been assigned to a group' do
        let(:deploy_access_level) { create(:protected_environment_deploy_access_level, protected_environment: protected_environment, group: group) }
@@ -111,7 +118,7 @@ RSpec.describe ProtectedEnvironment::DeployAccessLevel do
  end

  describe '#humanize' do
-    let(:protected_environment) { create(:protected_environment) }
+    let_it_be(:protected_environment) { create(:protected_environment) }

    subject { deploy_access_level.humanize }


--- a/spec/fixtures/api/schemas/environment.json
+++ b/spec/fixtures/api/schemas/environment.json
@@ -41,9 +41,12 @@
        { "type": "null" },
        { "$ref": "deployment.json" },
        {
+          "type": "object",
+          "properties" : {
            "name": { "type": "string" },
            "build_path": { "type": "string" }
          }
+        }
      ]
    },
    "can_delete": { "type": "boolean" }