Commit f04ef9b1 authored by Pavel Shutsin's avatar Pavel Shutsin

Deny access for repository coverage info for guests

Repository coverage information should be accessible
for Reporter+ role only

Changelog: security
EE: true
parent 9ee6c875
...@@ -6,7 +6,7 @@ class Groups::Analytics::CoverageReportsController < Groups::Analytics::Applicat ...@@ -6,7 +6,7 @@ class Groups::Analytics::CoverageReportsController < Groups::Analytics::Applicat
COVERAGE_PARAM = 'coverage' COVERAGE_PARAM = 'coverage'
before_action :load_group before_action :load_group
before_action -> { check_feature_availability!(:group_coverage_reports) } before_action -> { authorize_view_by_action!(:read_group_coverage_reports) }
def index def index
respond_to do |format| respond_to do |format|
......
...@@ -4,7 +4,6 @@ class Groups::Analytics::RepositoryAnalyticsController < Groups::Analytics::Appl ...@@ -4,7 +4,6 @@ class Groups::Analytics::RepositoryAnalyticsController < Groups::Analytics::Appl
layout 'group' layout 'group'
before_action :load_group before_action :load_group
before_action -> { check_feature_availability!(:group_repository_analytics) }
before_action -> { authorize_view_by_action!(:read_group_repository_analytics) } before_action -> { authorize_view_by_action!(:read_group_repository_analytics) }
before_action only: [:show] do before_action only: [:show] do
push_frontend_feature_flag(:usage_data_i_testing_group_code_coverage_visit_total, @group, default_enabled: :yaml) push_frontend_feature_flag(:usage_data_i_testing_group_code_coverage_visit_total, @group, default_enabled: :yaml)
......
...@@ -33,6 +33,10 @@ module EE ...@@ -33,6 +33,10 @@ module EE
@subject.feature_available?(:group_repository_analytics) @subject.feature_available?(:group_repository_analytics)
end end
condition(:group_coverage_reports_available) do
@subject.feature_available?(:group_coverage_reports)
end
condition(:group_activity_analytics_available) do condition(:group_activity_analytics_available) do
@subject.feature_available?(:group_activity_analytics) @subject.feature_available?(:group_activity_analytics)
end end
...@@ -180,6 +184,9 @@ module EE ...@@ -180,6 +184,9 @@ module EE
rule { reporter & group_repository_analytics_available } rule { reporter & group_repository_analytics_available }
.enable :read_group_repository_analytics .enable :read_group_repository_analytics
rule { reporter & group_coverage_reports_available }
.enable :read_group_coverage_reports
rule { reporter & group_merge_request_analytics_available } rule { reporter & group_merge_request_analytics_available }
.enable :read_group_merge_request_analytics .enable :read_group_merge_request_analytics
......
...@@ -26,6 +26,10 @@ RSpec.describe Groups::Analytics::CoverageReportsController do ...@@ -26,6 +26,10 @@ RSpec.describe Groups::Analytics::CoverageReportsController do
end end
context 'without permissions' do context 'without permissions' do
before do
group.add_guest(user)
end
describe 'GET index' do describe 'GET index' do
it 'responds 403' do it 'responds 403' do
get :index, params: valid_request_params get :index, params: valid_request_params
...@@ -37,7 +41,7 @@ RSpec.describe Groups::Analytics::CoverageReportsController do ...@@ -37,7 +41,7 @@ RSpec.describe Groups::Analytics::CoverageReportsController do
context 'with permissions' do context 'with permissions' do
before do before do
group.add_owner(user) group.add_reporter(user)
end end
context 'without a license' do context 'without a license' do
......
...@@ -322,6 +322,34 @@ RSpec.describe GroupPolicy do ...@@ -322,6 +322,34 @@ RSpec.describe GroupPolicy do
it { is_expected.not_to be_allowed(:read_group_repository_analytics) } it { is_expected.not_to be_allowed(:read_group_repository_analytics) }
end end
context 'when group coverage reports is available' do
before do
stub_licensed_features(group_coverage_reports: true)
end
context 'for guests' do
let(:current_user) { guest }
it { is_expected.not_to be_allowed(:read_group_coverage_reports) }
end
context 'for reporter+' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_group_coverage_reports) }
end
end
context 'when group coverage reports is not available' do
let(:current_user) { maintainer }
before do
stub_licensed_features(group_coverage_reports: false)
end
it { is_expected.not_to be_allowed(:read_group_coverage_reports) }
end
describe 'per group SAML' do describe 'per group SAML' do
def stub_group_saml_config(enabled) def stub_group_saml_config(enabled)
allow(::Gitlab::Auth::GroupSaml::Config).to receive_messages(enabled?: enabled) allow(::Gitlab::Auth::GroupSaml::Config).to receive_messages(enabled?: enabled)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment