Commit 2b2efbc6 authored by John T Skarbek's avatar John T Skarbek

Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'

parents affa81eb 7b52cff4
...@@ -35,6 +35,8 @@ class SlashCommandsService < Service ...@@ -35,6 +35,8 @@ class SlashCommandsService < Service
chat_user = find_chat_user(params) chat_user = find_chat_user(params)
if chat_user&.user if chat_user&.user
return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
else else
url = authorize_chat_name_url(params) url = authorize_chat_name_url(params)
......
...@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy ...@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
enable :access_git enable :access_git
enable :receive_notifications enable :receive_notifications
enable :use_quick_actions enable :use_quick_actions
enable :use_slash_commands
end end
rule { blocked | internal }.policy do rule { blocked | internal }.policy do
...@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy ...@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
prevent :access_api prevent :access_api
prevent :access_git prevent :access_git
prevent :receive_notifications prevent :receive_notifications
prevent :use_slash_commands
end end
rule { required_terms_not_accepted }.policy do rule { required_terms_not_accepted }.policy do
...@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy ...@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
rule { access_locked }.policy do rule { access_locked }.policy do
prevent :log_in prevent :log_in
prevent :use_slash_commands
end end
rule { ~(anonymous & restricted_public_level) }.policy do rule { ~(anonymous & restricted_public_level) }.policy do
......
---
title: Restrict slash commands to users who can log in
merge_request:
author:
type: security
...@@ -226,4 +226,32 @@ describe GlobalPolicy do ...@@ -226,4 +226,32 @@ describe GlobalPolicy do
it { is_expected.not_to be_allowed(:read_instance_statistics) } it { is_expected.not_to be_allowed(:read_instance_statistics) }
end end
end end
describe 'slash commands' do
context 'regular user' do
it { is_expected.to be_allowed(:use_slash_commands) }
end
context 'when internal' do
let(:current_user) { User.ghost }
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when blocked' do
before do
current_user.block
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when access locked' do
before do
current_user.lock_access!
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
end
end end
...@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do ...@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do
subject.trigger(params) subject.trigger(params)
end end
context 'when user is blocked' do
before do
chat_name.user.block
end
it 'blocks command execution' do
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
result = subject.trigger(params)
expect(result).to include(text: /^Whoops! This action is not allowed/)
end
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment