Permission check issuable template API data

From https://gitlab.com/gitlab-org/gitlab/-/issues/336446: > it seems possible that a customer might put some information in there > that they would not want to be publicly known. This change checks that a user can view issues, or merge requests, of a project before exposing the default templates. Changelog: security EE: true

Permission check issuable template API data
From https://gitlab.com/gitlab-org/gitlab/-/issues/336446: > it seems possible that a customer might put some information in there > that they would not want to be publicly known. This change checks that a user can view issues, or merge requests, of a project before exposing the default templates. Changelog: security EE: true
dbad14b7 · Luke Duncalfe · 9cb5a4eb · dbad14b7 · dbad14b7
Commit dbad14b7 authored Sep 15, 2021 by Luke Duncalfe
Show whitespace changes
Inline Side-by-side

Showing with 55 additions and 21 deletions

ee/lib/ee/api/entities/project.rb ee/lib/ee/api/entities/project.rb +8 -2

ee/spec/requests/api/projects_spec.rb ee/spec/requests/api/projects_spec.rb +47 -19

No files found.
--- a/ee/lib/ee/api/entities/project.rb
+++ b/ee/lib/ee/api/entities/project.rb
@@ -37,8 +37,14 @@ module EE
          expose :compliance_frameworks do |project, _|
            [project.compliance_framework_setting&.compliance_management_framework&.name].compact
          end
-          expose :issues_template, if: ->(project, _) { project.feature_available?(:issuable_default_templates) }
+          expose :issues_template, if: ->(project, options) do
-          expose :merge_requests_template, if: ->(project, _) { project.feature_available?(:issuable_default_templates) }
+            project.feature_available?(:issuable_default_templates) &&
+              Ability.allowed?(options[:current_user], :read_issue, project)
+          end
+          expose :merge_requests_template, if: ->(project, options) do
+            project.feature_available?(:issuable_default_templates) &&
+              Ability.allowed?(options[:current_user], :read_merge_request, project)
+          end
          expose :merge_pipelines_enabled?, as: :merge_pipelines_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
          expose :merge_trains_enabled?, as: :merge_trains_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
        end

--- a/ee/spec/requests/api/projects_spec.rb
+++ b/ee/spec/requests/api/projects_spec.rb
@@ -276,7 +276,10 @@ RSpec.describe API::Projects do
      end
    end
-    context 'issuable default templates feature is available' do
+    context 'issuable default templates' do
+      let(:project) { create(:project, :public) }
+      context 'when feature is available' do
        before do
          stub_licensed_features(issuable_default_templates: true)
        end
@@ -288,6 +291,30 @@ RSpec.describe API::Projects do
          expect(json_response).to have_key 'issues_template'
          expect(json_response).to have_key 'merge_requests_template'
        end
+        context 'when user does not have permission to see issues' do
+          let(:project) { create(:project, :public, :issues_private) }
+          it 'does not return issue default templates' do
+            subject
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response).not_to have_key 'issues_template'
+            expect(json_response).to have_key 'merge_requests_template'
+          end
+        end
+        context 'when user does not have permission to see merge requests' do
+          let(:project) { create(:project, :public, :merge_requests_private) }
+          it 'does not return merge request default templates' do
+            subject
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response).to have_key 'issues_template'
+            expect(json_response).not_to have_key 'merge_requests_template'
+          end
+        end
      end
      context 'issuable default templates feature not available' do
@@ -303,6 +330,7 @@ RSpec.describe API::Projects do
          expect(json_response).not_to have_key 'merge_requests_template'
        end
      end
+    end
    context 'merge pipelines feature is available' do
      before do