[master] Operations settings page visible to reporter users

4cfa0b8a · Reuben Pereira · Cindy Pallares · c270ade7 · 4cfa0b8a · 4cfa0b8a
Commit 4cfa0b8a authored Nov 28, 2018 by Reuben Pereira Committed by Cindy Pallares Nov 28, 2018
5 changed files
--- a/ee/app/controllers/projects/settings/operations_controller.rb
+++ b/ee/app/controllers/projects/settings/operations_controller.rb
@@ -4,8 +4,7 @@ module Projects
  module Settings
    class OperationsController < Projects::ApplicationController
      before_action :check_license
-      before_action :authorize_update_environment!, only: [:create, :update]
+      before_action :authorize_update_environment!
-      before_action :authorize_read_environment!, only: [:show]
      def show
        @tracing_settings ||= ProjectTracingSetting.for_project(@project)

--- a/ee/app/controllers/projects/tracings_controller.rb
+++ b/ee/app/controllers/projects/tracings_controller.rb
@@ -2,7 +2,7 @@
 class Projects::TracingsController < Projects::ApplicationController
  before_action :check_license
-  before_action :authorize_read_environment!, only: [:show]
+  before_action :authorize_update_environment!
  def show
  end

--- a/ee/changelogs/unreleased/security-358-operations-page-visible-to-reporters.yml
+++ b/ee/changelogs/unreleased/security-358-operations-page-visible-to-reporters.yml
+---
+title: Prevent reporter roles from viewing the Jaeger tracing settings page
+merge_request:
+author:
+type: security
--- a/ee/spec/controllers/projects/settings/operations_controller_spec.rb
+++ b/ee/spec/controllers/projects/settings/operations_controller_spec.rb
@@ -10,21 +10,27 @@ describe Projects::Settings::OperationsController do
  end
  describe 'GET show' do
-    shared_examples 'user without access to project' do |project_visibility|
+    shared_examples 'user without read access' do |project_visibility|
      let(:project) { create(:project, project_visibility) }
-      it 'returns 404' do
+      %w[guest reporter developer].each do |role|
-        get :show, namespace_id: project.namespace, project_id: project
+        before do
+          project.public_send("add_#{role}", user)
+        end
-        expect(response).to have_gitlab_http_status(:not_found)
+        it 'returns 404' do
+          get :show, namespace_id: project.namespace, project_id: project
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end
-    shared_examples 'user with access to project' do |project_visibility|
+    shared_examples 'user with read access' do |project_visibility|
      let(:project) { create(:project, project_visibility) }
      before do
-        project.add_reporter(user)
+        project.add_maintainer(user)
      end
      it 'renders ok' do
@@ -50,16 +56,16 @@ describe Projects::Settings::OperationsController do
        stub_licensed_features(tracing: true)
      end
-      context 'when logged in with correct permission' do
+      context 'with maintainer role' do
-        it_behaves_like 'user with access to project', :public
+        it_behaves_like 'user with read access', :public
-        it_behaves_like 'user with access to project', :private
+        it_behaves_like 'user with read access', :private
-        it_behaves_like 'user with access to project', :internal
+        it_behaves_like 'user with read access', :internal
      end
-      context 'when logged in without correct permission' do
+      context 'without maintainer role' do
-        it_behaves_like 'user without access to project', :public
+        it_behaves_like 'user without read access', :public
-        it_behaves_like 'user without access to project', :private
+        it_behaves_like 'user without read access', :private
-        it_behaves_like 'user without access to project', :internal
+        it_behaves_like 'user without read access', :internal
      end
      context 'when user not logged in' do
@@ -67,7 +73,7 @@ describe Projects::Settings::OperationsController do
          sign_out(user)
        end
-        it_behaves_like 'user without access to project', :public
+        it_behaves_like 'user without read access', :public
        it_behaves_like 'user needs to login', :private
        it_behaves_like 'user needs to login', :internal
@@ -79,9 +85,9 @@ describe Projects::Settings::OperationsController do
        stub_licensed_features(tracing: false)
      end
-      it_behaves_like 'user without access to project', :public
+      it_behaves_like 'user without read access', :public
-      it_behaves_like 'user without access to project', :private
+      it_behaves_like 'user without read access', :private
-      it_behaves_like 'user without access to project', :internal
+      it_behaves_like 'user without read access', :internal
    end
  end
@@ -99,10 +105,16 @@ describe Projects::Settings::OperationsController do
    shared_examples 'user without write access' do |project_visibility|
      let(:project) { create(:project, project_visibility) }
-      it 'does not update tracing external_url' do
+      %w[guest reporter developer].each do |role|
-        update_project(project, external_url: 'https://gitlab.com')
+        before do
+          project.public_send("add_#{role}", user)
+        end
+        it 'does not update tracing external_url' do
+          update_project(project, external_url: 'https://gitlab.com')
-        expect(project.tracing_setting).to be_nil
+          expect(project.tracing_setting).to be_nil
+        end
      end
    end
@@ -125,13 +137,13 @@ describe Projects::Settings::OperationsController do
        end
      end
-      context 'with authorized user' do
+      context 'with maintainer role' do
        it_behaves_like 'user with write access', :public, 'https://gitlab.com', 'https://gitlab.com'
        it_behaves_like 'user with write access', :private, 'https://gitlab.com', 'https://gitlab.com'
        it_behaves_like 'user with write access', :internal, 'https://gitlab.com', 'https://gitlab.com'
      end
-      context 'with unauthorized user' do
+      context 'with non maintainer roles' do
        it_behaves_like 'user without write access', :public
        it_behaves_like 'user without write access', :private
        it_behaves_like 'user without write access', :internal

--- a/ee/spec/controllers/projects/tracings_controller_spec.rb
+++ b/ee/spec/controllers/projects/tracings_controller_spec.rb
@@ -6,36 +6,27 @@ describe Projects::TracingsController do
  set(:user) { create(:user) }
  describe 'GET show' do
-    describe 'with valid license' do
+    shared_examples 'user with read access' do |visibility_level|
+      let(:project) { create(:project, visibility_level) }
      before do
-        stub_licensed_features(tracing: true)
+        project.add_maintainer(user)
      end
-      shared_examples 'authorized user' do |visibility_level|
+      it 'renders OK' do
-        let(:project) { create(:project, visibility_level) }
+        get :show, namespace_id: project.namespace, project_id: project
-        before do
-          project.add_reporter(user)
-          sign_in(user)
-        end
-        it 'renders OK' do
-          get :show, namespace_id: project.namespace, project_id: project
-          expect(response).to have_gitlab_http_status(200)
+        expect(response).to have_gitlab_http_status(200)
-          expect(response).to render_template(:show)
+        expect(response).to render_template(:show)
-        end
      end
+    end
-      it_behaves_like 'authorized user', :public
+    shared_examples 'user without read access' do |visibility_level|
-      it_behaves_like 'authorized user', :internal
+      let(:project) { create(:project, visibility_level) }
-      it_behaves_like 'authorized user', :private
-      shared_examples 'unauthorized user' do |visibility_level|
-        let(:project) { create(:project, visibility_level) }
+      %w[guest reporter developer].each do |role|
        before do
-          sign_in(user)
+          project.public_send("add_#{role}", user)
        end
        it 'returns 404' do
@@ -44,37 +35,36 @@ describe Projects::TracingsController do
          expect(response).to have_gitlab_http_status(:not_found)
        end
      end
-      it_behaves_like 'unauthorized user', :public
-      it_behaves_like 'unauthorized user', :internal
-      it_behaves_like 'unauthorized user', :private
    end
-    context 'with invalid license' do
+    describe 'with valid license' do
      before do
-        stub_licensed_features(tracing: false)
+        stub_licensed_features(tracing: true)
        sign_in(user)
      end
-      shared_examples 'invalid license' do |visibility_level|
+      context 'with maintainer role' do
-        let(:project) { create(:project, visibility_level) }
+        it_behaves_like 'user with read access', :public
+        it_behaves_like 'user with read access', :internal
-        before do
+        it_behaves_like 'user with read access', :private
-          stub_licensed_features(tracing: false)
+      end
-          project.add_reporter(user)
-          sign_in(user)
-        end
-        it 'returns 404' do
+      context 'without maintainer role' do
-          get :show, namespace_id: project.namespace, project_id: project
+        it_behaves_like 'user without read access', :public
+        it_behaves_like 'user without read access', :internal
+        it_behaves_like 'user without read access', :private
+      end
+    end
-          expect(response).to have_gitlab_http_status(:not_found)
+    context 'with invalid license' do
-        end
+      before do
+        stub_licensed_features(tracing: false)
+        sign_in(user)
      end
-      it_behaves_like 'invalid license', :public
+      it_behaves_like 'user without read access', :public
-      it_behaves_like 'invalid license', :internal
+      it_behaves_like 'user without read access', :internal
-      it_behaves_like 'invalid license', :private
+      it_behaves_like 'user without read access', :private
    end
  end
 end