Prevent updating trigger by other maintainers

In UI, it is prevented that updating a trigger that belongs to other maintainer. However, it was not implemented in API.

Prevent updating trigger by other maintainers
In UI, it is prevented that updating a trigger that belongs to other maintainer. However, it was not implemented in API.
26fee3b6 · Furkan Ayhan · bc23c3cc · 26fee3b6 · 26fee3b6 · 26fee3b6
Commit 26fee3b6 authored Feb 26, 2020 by Furkan Ayhan
3 changed files
--- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
+++ b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
+---
+title: Prevent updating trigger by other maintainers
+merge_request:
+author:
+type: security
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -109,6 +109,8 @@ module API
        trigger = user_project.triggers.find(params.delete(:trigger_id))
        break not_found!('Trigger') unless trigger

+        authorize! :admin_trigger, trigger
+
        if trigger.update(declared_params(include_missing: false))
          present trigger, with: Entities::Trigger, current_user: current_user
        else

--- a/spec/requests/api/triggers_spec.rb
+++ b/spec/requests/api/triggers_spec.rb
@@ -238,24 +238,44 @@ describe API::Triggers do
  end

  describe 'PUT /projects/:id/triggers/:trigger_id' do
-    context 'authenticated user with valid permissions' do
-      let(:new_description) { 'new description' }
+    context 'user is maintainer of the project' do
+      context 'the trigger belongs to user' do
+        let(:new_description) { 'new description' }

-      it 'updates description' do
-        put api("/projects/#{project.id}/triggers/#{trigger.id}", user),
-          params: { description: new_description }
+        it 'updates description' do
+          put api("/projects/#{project.id}/triggers/#{trigger.id}", user),
+            params: { description: new_description }

-        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response).to include('description' => new_description)
-        expect(trigger.reload.description).to eq(new_description)
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response).to include('description' => new_description)
+          expect(trigger.reload.description).to eq(new_description)
+        end
+      end
+
+      context 'the trigger does not belong to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
      end
    end

-    context 'authenticated user with invalid permissions' do
-      it 'does not update trigger' do
-        put api("/projects/#{project.id}/triggers/#{trigger.id}", user2)
+    context 'user is developer of the project' do
+      context 'the trigger belongs to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user2)

-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'the trigger does not belong to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger.id}", user2)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
      end
    end