Commit 9d9591f4 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-2798-fix-boards-policy' into 'master'

Disable issue board policies when issues are disabled

Closes #2798

See merge request gitlab/gitlabhq!2894
parents 9803962d 5dc047dc
...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy ...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue)) prevent(*create_read_update_admin_destroy(:issue))
prevent(*create_read_update_admin_destroy(:board))
prevent(*create_read_update_admin_destroy(:list))
end end
rule { merge_requests_disabled | repository_disabled }.policy do rule { merge_requests_disabled | repository_disabled }.policy do
......
---
title: Disable issue boards API when issues are disabled
merge_request:
author:
type: security
...@@ -130,25 +130,29 @@ describe ProjectPolicy do ...@@ -130,25 +130,29 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
context 'when the feature is disabled' do context 'when the feature is disabled' do
it 'does not include the issues permissions' do before do
project.issues_enabled = false project.issues_enabled = false
project.save! project.save!
end
it 'does not include the issues permissions' do
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end end
it 'disables boards and lists permissions' do
expect_disallowed :read_board, :create_board, :update_board, :admin_board
expect_disallowed :read_list, :create_list, :update_list, :admin_list
end end
context 'when the feature is disabled and external tracker configured' do context 'when external tracker configured' do
it 'does not include the issues permissions' do it 'does not include the issues permissions' do
create(:jira_service, project: project) create(:jira_service, project: project)
project.issues_enabled = false
project.save!
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end end
end end
end end
end
context 'merge requests feature' do context 'merge requests feature' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment