Commit 084b7edb authored by Grzegorz Bizon's avatar Grzegorz Bizon Committed by Yorick Peterse

Do not expose trigger token when user should not see it

parent 9f67b886
No related merge requests found
...@@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController ...@@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController
end end
def trigger def trigger
@trigger ||= project.triggers.find(params[:id]) || render_404 @trigger ||= project.triggers.find(params[:id])
.present(current_user: current_user)
end end
def trigger_params def trigger_params
params.require(:trigger).permit( params.require(:trigger).permit(:description)
:description
)
end end
end end
...@@ -4,6 +4,7 @@ module Ci ...@@ -4,6 +4,7 @@ module Ci
class Trigger < ActiveRecord::Base class Trigger < ActiveRecord::Base
extend Gitlab::Ci::Model extend Gitlab::Ci::Model
include IgnorableColumn include IgnorableColumn
include Presentable
ignore_column :deleted_at ignore_column :deleted_at
......
# frozen_string_literal: true
module Ci
class TriggerPresenter < Gitlab::View::Presenter::Delegated
presents :trigger
def has_token_exposed?
can?(current_user, :admin_trigger, trigger)
end
def token
if has_token_exposed?
trigger.token
else
trigger.short_token
end
end
end
end
%tr %tr
%td %td
- if can?(current_user, :admin_trigger, trigger) - if trigger.has_token_exposed?
%span= trigger.token %span= trigger.token
= clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard") = clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard")
- else - else
......
...@@ -1223,8 +1223,11 @@ module API ...@@ -1223,8 +1223,11 @@ module API
end end
class Trigger < Grape::Entity class Trigger < Grape::Entity
include ::API::Helpers::Presentable
expose :id expose :id
expose :token, :description expose :token
expose :description
expose :created_at, :updated_at, :last_used expose :created_at, :updated_at, :last_used
expose :owner, using: Entities::UserBasic expose :owner, using: Entities::UserBasic
end end
......
# frozen_string_literal: true
module API
module Helpers
##
# This module makes it possible to use `app/presenters` with
# Grape Entities. It instantiates model presenter and passes
# options defined in the API endpoint to the presenter itself.
#
# present object, with: Entities::Something,
# current_user: current_user,
# another_option: 'my options'
#
# Example above will make `current_user` and `another_option`
# values available in the subclass of `Gitlab::View::Presenter`
# thorough a separate method in the presenter.
#
# The model class needs to have `::Presentable` module mixed in
# if you want to use `API::Helpers::Presentable`.
#
module Presentable
extend ActiveSupport::Concern
def initialize(object, options = {})
super(object.present(options), options)
end
end
end
end
...@@ -51,7 +51,7 @@ module API ...@@ -51,7 +51,7 @@ module API
triggers = user_project.triggers.includes(:trigger_requests) triggers = user_project.triggers.includes(:trigger_requests)
present paginate(triggers), with: Entities::Trigger present paginate(triggers), with: Entities::Trigger, current_user: current_user
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
...@@ -68,7 +68,7 @@ module API ...@@ -68,7 +68,7 @@ module API
trigger = user_project.triggers.find(params.delete(:trigger_id)) trigger = user_project.triggers.find(params.delete(:trigger_id))
break not_found!('Trigger') unless trigger break not_found!('Trigger') unless trigger
present trigger, with: Entities::Trigger present trigger, with: Entities::Trigger, current_user: current_user
end end
desc 'Create a trigger' do desc 'Create a trigger' do
......
require 'spec_helper' require 'spec_helper'
describe API::Triggers do describe API::Triggers do
let(:user) { create(:user) } set(:user) { create(:user) }
let(:user2) { create(:user) } set(:user2) { create(:user) }
let!(:trigger_token) { 'secure_token' } let!(:trigger_token) { 'secure_token' }
let!(:trigger_token_2) { 'secure_token_2' } let!(:trigger_token_2) { 'secure_token_2' }
let!(:project) { create(:project, :repository, creator: user) } let!(:project) { create(:project, :repository, creator: user) }
...@@ -132,14 +133,17 @@ describe API::Triggers do ...@@ -132,14 +133,17 @@ describe API::Triggers do
end end
describe 'GET /projects/:id/triggers' do describe 'GET /projects/:id/triggers' do
context 'authenticated user with valid permissions' do context 'authenticated user who can access triggers' do
it 'returns list of triggers' do it 'returns a list of triggers with tokens exposed correctly' do
get api("/projects/#{project.id}/triggers", user) get api("/projects/#{project.id}/triggers", user)
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers expect(response).to include_pagination_headers
expect(json_response).to be_a(Array) expect(json_response).to be_a(Array)
expect(json_response[0]).to have_key('token') expect(json_response.size).to eq 2
expect(json_response.dig(0, 'token')).to eq trigger_token
expect(json_response.dig(1, 'token')).to eq trigger_token_2[0..3]
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment