Commit 5ba912a3 authored by Ash McKenzie's avatar Ash McKenzie

Merge branch '296563-follow-up-from-fix-project-access-token-regression' into 'master'

Follow-up from "Fix project access token regression"

See merge request gitlab-org/gitlab!50800
parents 81832751 f719cf67
......@@ -135,10 +135,6 @@ class ProjectPolicy < BasePolicy
::Feature.enabled?(:build_service_proxy, @subject)
end
condition(:project_bot_is_member) do
user.project_bot? & team_member?
end
with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled }
......@@ -619,8 +615,6 @@ class ProjectPolicy < BasePolicy
enable :admin_resource_access_tokens
end
rule { project_bot_is_member & ~blocked }.enable :bot_log_in
private
def user_is_user?
......
---
title: Fix project access token regression
merge_request: 50800
author:
type: fixed
......@@ -198,7 +198,9 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes)
if token.user.can?(:log_in) || token.user.can?(:bot_log_in, project)
return if project && token.user.project_bot? && !project.bots.include?(token.user)
if token.user.can?(:log_in) || token.user.project_bot?
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end
end
......@@ -283,7 +285,7 @@ module Gitlab
return unless build.project.builds_enabled?
if build.user
return unless build.user.can?(:log_in) || build.user.can?(:bot_log_in, build.project)
return unless build.user.can?(:log_in) || (build.user.project_bot? && build.project.bots&.include?(build.user))
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
......
......@@ -401,40 +401,6 @@ RSpec.describe ProjectPolicy do
end
end
describe 'bot_log_in' do
let(:bot_user) { create(:user, :project_bot) }
let(:project) { private_project }
context 'when bot is in project and is not blocked' do
before do
project.add_maintainer(bot_user)
end
it 'is a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_truthy
end
end
context 'when project bot is invalid' do
context 'when bot is not in project' do
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
context 'when bot user is blocked' do
before do
project.add_maintainer(bot_user)
bot_user.block!
end
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
end
end
context 'support bot' do
let(:current_user) { User.support_bot }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment