Merge branch 'security-2798-fix-boards-policy' into 'master'

Disable issue board policies when issues are disabled Closes #2798 See merge request gitlab/gitlabhq!2894

Merge branch 'security-2798-fix-boards-policy' into 'master'
Disable issue board policies when issues are disabled Closes #2798 See merge request gitlab/gitlabhq!2894
9d9591f4 · Yorick Peterse · 9803962d · 5dc047dc · 9d9591f4 · 9d9591f4
Commit 9d9591f4 authored Mar 04, 2019 by Yorick Peterse
3 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
  rule { issues_disabled }.policy do
    prevent(*create_read_update_admin_destroy(:issue))
+    prevent(*create_read_update_admin_destroy(:board))
+    prevent(*create_read_update_admin_destroy(:list))
  end
  rule { merge_requests_disabled | repository_disabled }.policy do

--- a/changelogs/unreleased/security-2798-fix-boards-policy.yml
+++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml
+---
+title: Disable issue boards API when issues are disabled
+merge_request:
+author:
+type: security
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -130,25 +130,29 @@ describe ProjectPolicy do
    subject { described_class.new(owner, project) }
    context 'when the feature is disabled' do
-      it 'does not include the issues permissions' do
+      before do
        project.issues_enabled = false
        project.save!
+      end
+      it 'does not include the issues permissions' do
        expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
      end
+      it 'disables boards and lists permissions' do
+        expect_disallowed :read_board, :create_board, :update_board, :admin_board
+        expect_disallowed :read_list, :create_list, :update_list, :admin_list
      end
-    context 'when the feature is disabled and external tracker configured' do
+      context 'when external tracker configured' do
        it 'does not include the issues permissions' do
          create(:jira_service, project: project)
-        project.issues_enabled = false
-        project.save!
          expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
        end
      end
    end
+  end
  context 'merge requests feature' do
    subject { described_class.new(owner, project) }