Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

f4fbe9d6 · GitLab Bot · ca0b403f · f4fbe9d6 · f4fbe9d6 · f4fbe9d6
Commit f4fbe9d6 authored Aug 02, 2021 by GitLab Bot
4 changed files
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -791,7 +791,7 @@ GEM
      nenv (~> 0.1)
      shellany (~> 0.0)
    numerizer (0.2.0)
-    oauth (0.5.4)
+    oauth (0.5.6)
    oauth2 (1.4.4)
      faraday (>= 0.8, < 2.0)
      jwt (>= 1.0, < 3.0)

--- a/app/services/issues/base_service.rb
+++ b/app/services/issues/base_service.rb
@@ -47,6 +47,9 @@ module Issues
      params.delete(:created_at) unless moved_issue || current_user.can?(:set_issue_created_at, project)
      params.delete(:updated_at) unless moved_issue || current_user.can?(:set_issue_updated_at, project)
+      # Only users with permission to handle error data can add it to issues
+      params.delete(:sentry_issue_attributes) unless current_user.can?(:update_sentry_issue, project)
      issue.system_note_timestamp = params[:created_at] || params[:updated_at]
    end

--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -224,6 +224,27 @@ RSpec.describe Issues::CreateService do
        end
      end
+      context 'when sentry identifier is given' do
+        before do
+          sentry_attributes = { sentry_issue_attributes: { sentry_issue_identifier: 42 } }
+          opts.merge!(sentry_attributes)
+        end
+        context 'user is a guest' do
+          before do
+            project.add_guest(user)
+          end
+          it 'does not assign the sentry error' do
+            expect(issue.sentry_issue).to eq(nil)
+          end
+        end
+        it 'assigns the sentry error' do
+          expect(issue.sentry_issue).to be_kind_of(SentryIssue)
+        end
+      end
      it 'executes issue hooks when issue is not confidential' do
        opts = { title: 'Title', description: 'Description', confidential: false }

--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -82,6 +82,31 @@ RSpec.describe Issues::UpdateService, :mailer do
        expect(issue.milestone).to eq milestone
      end
+      context 'when sentry identifier is given' do
+        before do
+          sentry_attributes = { sentry_issue_attributes: { sentry_issue_identifier: 42 } }
+          opts.merge!(sentry_attributes)
+        end
+        it 'assigns the sentry error' do
+          update_issue(opts)
+          expect(issue.sentry_issue).to be_kind_of(SentryIssue)
+        end
+        context 'user is a guest' do
+          before do
+            project.add_guest(user)
+          end
+          it 'does not assign the sentry error' do
+            update_issue(opts)
+            expect(issue.sentry_issue).to eq(nil)
+          end
+        end
+      end
      context 'when issue type is not incident' do
        it 'returns default severity' do
          update_issue(opts)