Prevent updating trigger by other maintainers

In UI, it is prevented that updating a trigger that belongs to other maintainer. However, it was not implemented in API.

Prevent updating trigger by other maintainers
In UI, it is prevented that updating a trigger that belongs to other maintainer. However, it was not implemented in API.
26fee3b6 · Furkan Ayhan · bc23c3cc · 26fee3b6 · 26fee3b6 · 26fee3b6
Commit 26fee3b6 authored Feb 26, 2020 by Furkan Ayhan
3 changed files
--- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
+++ b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
+---
+title: Prevent updating trigger by other maintainers
+merge_request:
+author:
+type: security
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -109,6 +109,8 @@ module API
        trigger = user_project.triggers.find(params.delete(:trigger_id))
        break not_found!('Trigger') unless trigger

+        authorize! :admin_trigger, trigger
+
        if trigger.update(declared_params(include_missing: false))
          present trigger, with: Entities::Trigger, current_user: current_user
        else

--- a/spec/requests/api/triggers_spec.rb
+++ b/spec/requests/api/triggers_spec.rb
@@ -238,7 +238,8 @@ describe API::Triggers do
  end

  describe 'PUT /projects/:id/triggers/:trigger_id' do
-    context 'authenticated user with valid permissions' do
+    context 'user is maintainer of the project' do
+      context 'the trigger belongs to user' do
        let(:new_description) { 'new description' }

        it 'updates description' do
@@ -251,13 +252,32 @@ describe API::Triggers do
        end
      end

-    context 'authenticated user with invalid permissions' do
+      context 'the trigger does not belong to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'user is developer of the project' do
+      context 'the trigger belongs to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user2)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'the trigger does not belong to user' do
        it 'does not update trigger' do
          put api("/projects/#{project.id}/triggers/#{trigger.id}", user2)

          expect(response).to have_gitlab_http_status(:forbidden)
        end
      end
+    end

    context 'unauthenticated user' do
      it 'does not update trigger' do