Skip user auth check in alerts_controller#notify

Do not check if the user can read project in the notify action of the alerts_controller because that API is hit by alertmanager, and there will never be a user signed in. Project access will be checked in the NotifyService which checks if the alertmanager token in the request matches the token in the DB for the given project.

Skip user auth check in alerts_controller#notify
Do not check if the user can read project in the notify action of the alerts_controller because that API is hit by alertmanager, and there will never be a user signed in. Project access will be checked in the NotifyService which checks if the alertmanager token in the request matches the token in the DB for the given project.
93d074db · Reuben Pereira · Rémy Coutable · 80855ba9 · 93d074db · 93d074db
Commit 93d074db authored Feb 22, 2019 by Reuben Pereira Committed by Rémy Coutable Feb 22, 2019
5 changed files
--- a/ee/app/controllers/projects/prometheus/alerts_controller.rb
+++ b/ee/app/controllers/projects/prometheus/alerts_controller.rb
@@ -7,6 +7,10 @@ module Projects
      protect_from_forgery except: [:notify]
+      skip_before_action :project, only: [:notify]
+      prepend_before_action :repository, :project_without_auth, only: [:notify]
      before_action :authorize_read_prometheus_alerts!, except: [:notify]
      before_action :authorize_admin_project!, except: [:notify]
      before_action :alert, only: [:update, :show, :destroy]
@@ -102,6 +106,15 @@ module Projects
      def extract_alert_manager_token(request)
        Doorkeeper::OAuth::Token.from_bearer_authorization(request)
      end
+      def project_without_auth
+        return @project if @project
+        namespace = params[:namespace_id]
+        id = params[:project_id]
+        @project = Project.find_by_full_path("#{namespace}/#{id}")
+      end
    end
  end
 end
--- a/ee/app/services/projects/prometheus/alerts/notify_service.rb
+++ b/ee/app/services/projects/prometheus/alerts/notify_service.rb
@@ -9,7 +9,7 @@ module Projects
          return false unless valid_alert_manager_token?(token)
          send_alert_email(project, firings) if firings.any?
-          persist_events(project, current_user, params)
+          persist_events(project, params)
          true
        end
@@ -88,8 +88,8 @@ module Projects
            .prometheus_alerts_fired(project, firings)
        end
-        def persist_events(project, current_user, params)
+        def persist_events(project, params)
-          CreateEventsService.new(project, current_user, params).execute
+          CreateEventsService.new(project, nil, params).execute
        end
      end
    end

--- a/ee/changelogs/unreleased/9504-fix-alert-notify.yml
+++ b/ee/changelogs/unreleased/9504-fix-alert-notify.yml
+---
+title: Fix alert notifications for non-public projects
+merge_request: 9636
+author:
+type: fixed
--- a/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
+++ b/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
@@ -88,10 +88,12 @@ describe Projects::Prometheus::AlertsController do
    let(:notify_service) { spy }
    before do
+      sign_out(user)
      expect(Projects::Prometheus::Alerts::NotifyService)
        .to receive(:new)
+        .with(project, nil, duck_type(:permitted?))
        .and_return(notify_service)
-        .with(project, user, duck_type(:permitted?))
    end
    it 'renders ok if notification succeeds' do

--- a/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
+++ b/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
@@ -3,10 +3,9 @@
 require 'spec_helper'
 describe Projects::Prometheus::Alerts::NotifyService do
-  set(:user) { create(:user) }
  set(:project) { create(:project) }
-  let(:service) { described_class.new(project, user, payload) }
+  let(:service) { described_class.new(project, nil, payload) }
  let(:token_input) { 'token' }
  let(:subject) { service.execute(token_input) }