Do not expose trigger token when user should not see it

084b7edb · Grzegorz Bizon · Yorick Peterse · 9f67b886 · 084b7edb · 084b7edb
Commit 084b7edb authored Dec 19, 2018 by Grzegorz Bizon Committed by Yorick Peterse Jan 31, 2019
8 changed files
--- a/app/controllers/projects/triggers_controller.rb
+++ b/app/controllers/projects/triggers_controller.rb
@@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController
  end

  def trigger
-    @trigger ||= project.triggers.find(params[:id]) || render_404
+    @trigger ||= project.triggers.find(params[:id])
+      .present(current_user: current_user)
  end

  def trigger_params
-    params.require(:trigger).permit(
-      :description
-    )
+    params.require(:trigger).permit(:description)
  end
 end
--- a/app/models/ci/trigger.rb
+++ b/app/models/ci/trigger.rb
@@ -4,6 +4,7 @@ module Ci
  class Trigger < ActiveRecord::Base
    extend Gitlab::Ci::Model
    include IgnorableColumn
+    include Presentable

    ignore_column :deleted_at


--- a/app/presenters/ci/trigger_presenter.rb
+++ b/app/presenters/ci/trigger_presenter.rb
+# frozen_string_literal: true
+
+module Ci
+  class TriggerPresenter < Gitlab::View::Presenter::Delegated
+    presents :trigger
+
+    def has_token_exposed?
+      can?(current_user, :admin_trigger, trigger)
+    end
+
+    def token
+      if has_token_exposed?
+        trigger.token
+      else
+        trigger.short_token
+      end
+    end
+  end
+end
--- a/app/views/projects/triggers/_trigger.html.haml
+++ b/app/views/projects/triggers/_trigger.html.haml
 %tr
  %td
-    - if can?(current_user, :admin_trigger, trigger)
+    - if trigger.has_token_exposed?
      %span= trigger.token
      = clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard")
    - else

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1223,8 +1223,11 @@ module API
    end

    class Trigger < Grape::Entity
+      include ::API::Helpers::Presentable
+
      expose :id
-      expose :token, :description
+      expose :token
+      expose :description
      expose :created_at, :updated_at, :last_used
      expose :owner, using: Entities::UserBasic
    end

--- a/lib/api/helpers/presentable.rb
+++ b/lib/api/helpers/presentable.rb
+# frozen_string_literal: true
+
+module API
+  module Helpers
+    ##
+    # This module makes it possible to use `app/presenters` with
+    # Grape Entities. It instantiates model presenter and passes
+    # options defined in the API endpoint to the presenter itself.
+    #
+    #   present object, with: Entities::Something,
+    #                   current_user: current_user,
+    #                   another_option: 'my options'
+    #
+    # Example above will make `current_user` and `another_option`
+    # values available in the subclass of `Gitlab::View::Presenter`
+    # thorough a separate method in the presenter.
+    #
+    # The model class needs to have `::Presentable` module mixed in
+    # if you want to use `API::Helpers::Presentable`.
+    #
+    module Presentable
+      extend ActiveSupport::Concern
+
+      def initialize(object, options = {})
+        super(object.present(options), options)
+      end
+    end
+  end
+end
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -51,7 +51,7 @@ module API

        triggers = user_project.triggers.includes(:trigger_requests)

-        present paginate(triggers), with: Entities::Trigger
+        present paginate(triggers), with: Entities::Trigger, current_user: current_user
      end
      # rubocop: enable CodeReuse/ActiveRecord

@@ -68,7 +68,7 @@ module API
        trigger = user_project.triggers.find(params.delete(:trigger_id))
        break not_found!('Trigger') unless trigger

-        present trigger, with: Entities::Trigger
+        present trigger, with: Entities::Trigger, current_user: current_user
      end

      desc 'Create a trigger' do

--- a/spec/requests/api/triggers_spec.rb
+++ b/spec/requests/api/triggers_spec.rb
 require 'spec_helper'

 describe API::Triggers do
-  let(:user) { create(:user) }
-  let(:user2) { create(:user) }
+  set(:user) { create(:user) }
+  set(:user2) { create(:user) }
+
  let!(:trigger_token) { 'secure_token' }
  let!(:trigger_token_2) { 'secure_token_2' }
  let!(:project) { create(:project, :repository, creator: user) }
@@ -132,14 +133,17 @@ describe API::Triggers do
  end

  describe 'GET /projects/:id/triggers' do
-    context 'authenticated user with valid permissions' do
-      it 'returns list of triggers' do
+    context 'authenticated user who can access triggers' do
+      it 'returns a list of triggers with tokens exposed correctly' do
        get api("/projects/#{project.id}/triggers", user)

        expect(response).to have_gitlab_http_status(200)
        expect(response).to include_pagination_headers
+
        expect(json_response).to be_a(Array)
-        expect(json_response[0]).to have_key('token')
+        expect(json_response.size).to eq 2
+        expect(json_response.dig(0, 'token')).to eq trigger_token
+        expect(json_response.dig(1, 'token')).to eq trigger_token_2[0..3]
      end
    end