Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2671cb2e
Commit
2671cb2e
authored
Jun 03, 2020
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/13-0-stable' into 13-0-stable
parents
7a9b1c4b
8549bb43
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
72 additions
and
43 deletions
+72
-43
CHANGELOG.md
CHANGELOG.md
+7
-0
GITALY_SERVER_VERSION
GITALY_SERVER_VERSION
+1
-1
VERSION
VERSION
+1
-1
app/policies/project_policy.rb
app/policies/project_policy.rb
+1
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+62
-41
No files found.
CHANGELOG.md
View file @
2671cb2e
...
...
@@ -2,6 +2,13 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 13.0.4 (2020-06-03)
### Security (1 change)
-
Prevent fetching repository code with unauthorized ci token.
## 13.0.3 (2020-05-29)
### Fixed (8 changes, 1 of them is from the community)
...
...
GITALY_SERVER_VERSION
View file @
2671cb2e
13.0.
3
13.0.
4
VERSION
View file @
2671cb2e
13.0.
3
13.0.
4
app/policies/project_policy.rb
View file @
2671cb2e
...
...
@@ -463,6 +463,7 @@ class ProjectPolicy < BasePolicy
rule
{
repository_disabled
}.
policy
do
prevent
:push_code
prevent
:download_code
prevent
:build_download_code
prevent
:fork_project
prevent
:read_commit_status
prevent
:read_pipeline
...
...
spec/policies/project_policy_spec.rb
View file @
2671cb2e
...
...
@@ -5,6 +5,7 @@ require 'spec_helper'
describe
ProjectPolicy
do
include
ExternalAuthorizationServiceHelpers
include_context
'ProjectPolicy context'
let_it_be
(
:other_user
)
{
create
(
:user
)
}
let_it_be
(
:guest
)
{
create
(
:user
)
}
let_it_be
(
:reporter
)
{
create
(
:user
)
}
let_it_be
(
:developer
)
{
create
(
:user
)
}
...
...
@@ -163,7 +164,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
owner
,
project
)
}
it
'disallows all permissions when the feature is disabled'
do
project
.
project_feature
.
update
(
merge_requests_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
merge_requests_access_level:
ProjectFeature
::
DISABLED
)
mr_permissions
=
[
:create_merge_request_from
,
:read_merge_request
,
:update_merge_request
,
:admin_merge_request
,
...
...
@@ -215,7 +216,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
owner
,
project
)
}
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
builds_access_level:
ProjectFeature
::
DISABLED
)
end
context
'without metrics_dashboard_allowed'
do
...
...
@@ -260,7 +261,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
guest
,
project
)
}
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
PRIVATE
)
project
.
project_feature
.
update
!
(
builds_access_level:
ProjectFeature
::
PRIVATE
)
end
it
'disallows pipeline and commit_status permissions'
do
...
...
@@ -275,50 +276,70 @@ describe ProjectPolicy do
end
context
'repository feature'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
let
(
:repository_permissions
)
do
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_build
,
:read_build
,
:update_build
,
:admin_build
,
:destroy_build
,
:create_pipeline_schedule
,
:read_pipeline_schedule
,
:update_pipeline_schedule
,
:admin_pipeline_schedule
,
:destroy_pipeline_schedule
,
:create_environment
,
:read_environment
,
:update_environment
,
:admin_environment
,
:destroy_environment
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin_cluster
,
:create_deployment
,
:read_deployment
,
:update_deployment
,
:admin_deployment
,
:destroy_deployment
,
:destroy_release
,
:download_code
,
:build_download_code
]
end
context
'when user is a project member'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
before
do
project
.
project_feature
.
update
(
repository_access_level:
ProjectFeature
::
DISABLED
)
end
context
'when it is disabled'
do
before
do
project
.
project_feature
.
update!
(
repository_access_level:
ProjectFeature
::
DISABLED
,
merge_requests_access_level:
ProjectFeature
::
DISABLED
,
builds_access_level:
ProjectFeature
::
DISABLED
,
forking_access_level:
ProjectFeature
::
DISABLED
)
end
context
'without metrics_dashboard_allowed'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
DISABLED
)
end
context
'without metrics_dashboard_allowed'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
DISABLED
)
end
it
'disallows all permissions when the feature is disabled'
do
repository_permissions
=
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_build
,
:read_build
,
:update_build
,
:admin_build
,
:destroy_build
,
:create_pipeline_schedule
,
:read_pipeline_schedule
,
:update_pipeline_schedule
,
:admin_pipeline_schedule
,
:destroy_pipeline_schedule
,
:create_environment
,
:read_environment
,
:update_environment
,
:admin_environment
,
:destroy_environment
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin_cluster
,
:create_deployment
,
:read_deployment
,
:update_deployment
,
:admin_deployment
,
:destroy_deployment
,
:destroy_release
]
it
'disallows all permissions when the feature is disabled'
do
expect_disallowed
(
*
repository_permissions
)
end
end
expect_disallowed
(
*
repository_permissions
)
context
'with metrics_dashboard_allowed'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
end
it
'disallows all permissions but read_environment when the feature is disabled'
do
expect_disallowed
(
*
(
repository_permissions
-
[
:read_environment
]))
expect_allowed
(
:read_environment
)
end
end
end
end
context
'with metrics_dashboard_allowed'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
end
context
'when user is some other user'
do
subject
{
described_class
.
new
(
other_user
,
project
)
}
it
'disallows all permissions when the feature is disabled'
do
repository_permissions
=
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_build
,
:read_build
,
:update_build
,
:admin_build
,
:destroy_build
,
:create_pipeline_schedule
,
:read_pipeline_schedule
,
:update_pipeline_schedule
,
:admin_pipeline_schedule
,
:destroy_pipeline_schedule
,
:create_environment
,
:update_environment
,
:admin_environment
,
:destroy_environment
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin_cluster
,
:create_deployment
,
:read_deployment
,
:update_deployment
,
:admin_deployment
,
:destroy_deployment
,
:destroy_release
]
context
'when access level is private'
do
before
do
project
.
project_feature
.
update!
(
repository_access_level:
ProjectFeature
::
PRIVATE
,
merge_requests_access_level:
ProjectFeature
::
PRIVATE
,
builds_access_level:
ProjectFeature
::
PRIVATE
,
forking_access_level:
ProjectFeature
::
PRIVATE
)
end
expect_disallowed
(
*
repository_permissions
)
expect_allowed
(
:read_environment
)
it
'disallows all permissions'
do
expect_disallowed
(
*
repository_permissions
)
end
end
end
end
...
...
@@ -601,7 +622,7 @@ describe ProjectPolicy do
context
'feature enabled'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
project
.
project_feature
.
update
!
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
end
context
'with reporter'
do
...
...
@@ -665,7 +686,7 @@ describe ProjectPolicy do
context
'feature enabled'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
project
.
project_feature
.
update
!
(
metrics_dashboard_access_level:
ProjectFeature
::
ENABLED
)
end
context
'with reporter'
do
...
...
@@ -750,7 +771,7 @@ describe ProjectPolicy do
context
'feature disabled'
do
before
do
project
.
project_feature
.
update
(
metrics_dashboard_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
metrics_dashboard_access_level:
ProjectFeature
::
DISABLED
)
end
context
'with reporter'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment