Commit 85ad18b2 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-disallow-guests-to-access-releases' into 'master'

Disallow guest users from accessing Releases

See merge request gitlab/gitlabhq!3041
parents 52eda892 bdee9e84
...@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy ...@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy
enable :read_cycle_analytics enable :read_cycle_analytics
enable :award_emoji enable :award_emoji
enable :read_pages_content enable :read_pages_content
enable :read_release
end end
# These abilities are not allowed to admins that are not members of the project, # These abilities are not allowed to admins that are not members of the project,
...@@ -203,6 +202,7 @@ class ProjectPolicy < BasePolicy ...@@ -203,6 +202,7 @@ class ProjectPolicy < BasePolicy
enable :read_deployment enable :read_deployment
enable :read_merge_request enable :read_merge_request
enable :read_sentry_issue enable :read_sentry_issue
enable :read_release
end end
# We define `:public_user_access` separately because there are cases in gitlab-ee # We define `:public_user_access` separately because there are cases in gitlab-ee
......
---
title: Disallow guest users from accessing Releases
merge_request:
author:
type: security
...@@ -15,7 +15,7 @@ describe ProjectPolicy do ...@@ -15,7 +15,7 @@ describe ProjectPolicy do
read_project_for_iids read_issue_iid read_label read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release award_emoji
] ]
end end
...@@ -24,7 +24,7 @@ describe ProjectPolicy do ...@@ -24,7 +24,7 @@ describe ProjectPolicy do
download_code fork_project create_project_snippet update_issue download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue read_merge_request download_wiki_code read_sentry_issue read_release
] ]
end end
......
...@@ -4,12 +4,14 @@ describe API::Releases do ...@@ -4,12 +4,14 @@ describe API::Releases do
let(:project) { create(:project, :repository, :private) } let(:project) { create(:project, :repository, :private) }
let(:maintainer) { create(:user) } let(:maintainer) { create(:user) }
let(:reporter) { create(:user) } let(:reporter) { create(:user) }
let(:guest) { create(:user) }
let(:non_project_member) { create(:user) } let(:non_project_member) { create(:user) }
let(:commit) { create(:commit, project: project) } let(:commit) { create(:commit, project: project) }
before do before do
project.add_maintainer(maintainer) project.add_maintainer(maintainer)
project.add_reporter(reporter) project.add_reporter(reporter)
project.add_guest(guest)
project.repository.add_tag(maintainer, 'v0.1', commit.id) project.repository.add_tag(maintainer, 'v0.1', commit.id)
project.repository.add_tag(maintainer, 'v0.2', commit.id) project.repository.add_tag(maintainer, 'v0.2', commit.id)
...@@ -66,6 +68,24 @@ describe API::Releases do ...@@ -66,6 +68,24 @@ describe API::Releases do
end end
end end
context 'when user is a guest' do
it 'responds 403 Forbidden' do
get api("/projects/#{project.id}/releases", guest)
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'when project is public' do
let(:project) { create(:project, :repository, :public) }
it 'responds 200 OK' do
get api("/projects/#{project.id}/releases", guest)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
context 'when user is not a project member' do context 'when user is not a project member' do
it 'cannot find the project' do it 'cannot find the project' do
get api("/projects/#{project.id}/releases", non_project_member) get api("/projects/#{project.id}/releases", non_project_member)
...@@ -189,6 +209,24 @@ describe API::Releases do ...@@ -189,6 +209,24 @@ describe API::Releases do
end end
end end
end end
context 'when user is a guest' do
it 'responds 403 Forbidden' do
get api("/projects/#{project.id}/releases/v0.1", guest)
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'when project is public' do
let(:project) { create(:project, :repository, :public) }
it 'responds 200 OK' do
get api("/projects/#{project.id}/releases/v0.1", guest)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
end end
context 'when specified tag is not found in the project' do context 'when specified tag is not found in the project' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment