Commit 036ee862 authored by Thong Kuah's avatar Thong Kuah

Allow cluster update to same namespace only

Only allow cluster to update management_project to namespace (and
descendants) of the cluster.

For instance-level cluster, this is meaningless so skip for this cluster
type.
parent 5ce01342
...@@ -24,7 +24,7 @@ module Clusters ...@@ -24,7 +24,7 @@ module Clusters
def validate_params(cluster) def validate_params(cluster)
if params[:management_project_id] if params[:management_project_id]
management_project = ::Project.find_by_id(params[:management_project_id]) management_project = management_project_scope(cluster).find_by_id(params[:management_project_id])
unless management_project unless management_project
cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action')) cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
...@@ -42,5 +42,22 @@ module Clusters ...@@ -42,5 +42,22 @@ module Clusters
true true
end end
def management_project_scope(cluster)
return Project.all if cluster.instance_type?
group =
if cluster.group_type?
cluster.first_group
elsif cluster.project_type?
cluster.first_project&.namespace
end
# Prevent users from selecting nested projects until
# https://gitlab.com/gitlab-org/gitlab/issues/34650 is resolved
include_subgroups = cluster.group_type?
::GroupProjectsFinder.new(group: group, current_user: current_user, options: { only_owned: true, include_subgroups: include_subgroups }).execute
end
end end
end end
...@@ -293,7 +293,7 @@ describe API::GroupClusters do ...@@ -293,7 +293,7 @@ describe API::GroupClusters do
let(:domain) { 'new-domain.com' } let(:domain) { 'new-domain.com' }
let(:platform_kubernetes_attributes) { {} } let(:platform_kubernetes_attributes) { {} }
let(:management_project) { create(:project) } let(:management_project) { create(:project, group: group) }
let(:management_project_id) { management_project.id } let(:management_project_id) { management_project.id }
let(:cluster) do let(:cluster) do
......
...@@ -281,7 +281,7 @@ describe API::ProjectClusters do ...@@ -281,7 +281,7 @@ describe API::ProjectClusters do
let(:api_url) { 'https://kubernetes.example.com' } let(:api_url) { 'https://kubernetes.example.com' }
let(:namespace) { 'new-namespace' } let(:namespace) { 'new-namespace' }
let(:platform_kubernetes_attributes) { { namespace: namespace } } let(:platform_kubernetes_attributes) { { namespace: namespace } }
let(:management_project) { create(:project) } let(:management_project) { create(:project, namespace: project.namespace) }
let(:management_project_id) { management_project.id } let(:management_project_id) { management_project.id }
let(:update_params) do let(:update_params) do
......
...@@ -92,7 +92,7 @@ describe Clusters::UpdateService do ...@@ -92,7 +92,7 @@ describe Clusters::UpdateService do
end end
context 'when params includes :management_project_id' do context 'when params includes :management_project_id' do
let(:management_project) { create(:project) } let(:management_project) { create(:project, namespace: cluster.first_project.namespace) }
context 'management_project is non-existent' do context 'management_project is non-existent' do
let(:params) do let(:params) do
...@@ -123,6 +123,21 @@ describe Clusters::UpdateService do ...@@ -123,6 +123,21 @@ describe Clusters::UpdateService do
expect(cluster.management_project).to eq(management_project) expect(cluster.management_project).to eq(management_project)
end end
context 'manangement_project is outside of the namespace scope' do
before do
management_project.update(group: create(:group))
end
it 'does not update management_project_id' do
is_expected.to eq(false)
expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
cluster.reload
expect(cluster.management_project_id).to be_nil
end
end
end end
context 'user is not authorized to adminster manangement_project' do context 'user is not authorized to adminster manangement_project' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment