Skip to content

G
gitlab-ce
Commit 5d0810e0 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files
Options

Merge branch 'security-branch-permissions' into 'master' 

Check permissions for find_file_path

Closes #103

See merge request gitlab-org/security/gitlab!392
parents 466bff8e ca049d86
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 5 deletions
app/helpers/projects_helper.rb
View file @ 5d0810e0
...@@ -625,6 +625,7 @@ module ProjectsHelper ...@@ -625,6 +625,7 @@ module ProjectsHelper
def find_file_path def find_file_path
return unless @project && !@project.empty_repo? return unless @project && !@project.empty_repo?
return unless can?(current_user, :download_code, @project)
ref = @ref || @project.repository.root_ref ref = @ref || @project.repository.root_ref
......
changelogs/unreleased/security-branch-permissions.yml 0 → 100644
View file @ 5d0810e0
---
title: Prevent unauthorized access to default branch
merge_request:
author:
type: security
spec/helpers/application_helper_spec.rb
View file @ 5d0810e0
...@@ -280,11 +280,16 @@ describe ApplicationHelper do ...@@ -280,11 +280,16 @@ describe ApplicationHelper do
end end
context 'when @project is set' do context 'when @project is set' do
it 'includes all possible body data elements and associates the project elements with project' do let_it_be(:project) { create(:project, :repository) }
project = create(:project) let_it_be(:user) { create(:user) }
before do
assign(:project, project) assign(:project, project)
allow(helper).to receive(:current_user).and_return(nil)
end
it 'includes all possible body data elements and associates the project elements with project' do
expect(helper).to receive(:can?).with(nil, :download_code, project)
expect(helper.body_data).to eq( expect(helper.body_data).to eq(
{ {
page: 'application', page: 'application',
...@@ -305,12 +310,11 @@ describe ApplicationHelper do ...@@ -305,12 +310,11 @@ describe ApplicationHelper do
context 'when params[:id] is present and the issue exsits and action_name is show' do context 'when params[:id] is present and the issue exsits and action_name is show' do
it 'sets all project and id elements correctly related to the issue' do it 'sets all project and id elements correctly related to the issue' do
issue = create(:issue) issue = create(:issue, project: project)
stub_controller_method(:action_name, 'show') stub_controller_method(:action_name, 'show')
stub_controller_method(:params, { id: issue.id }) stub_controller_method(:params, { id: issue.id })
assign(:project, issue.project) expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
expect(helper.body_data).to eq( expect(helper.body_data).to eq(
{ {
page: 'projects:issues:show', page: 'projects:issues:show',
...@@ -325,6 +329,15 @@ describe ApplicationHelper do ...@@ -325,6 +329,15 @@ describe ApplicationHelper do
end end
end end
end end
context 'when current_user has download_code permission' do
it 'returns find_file with the default branch' do
allow(helper).to receive(:current_user).and_return(user)
expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
expect(helper.body_data[:find_file]).to end_with(project.default_branch)
end
end
end end
def stub_controller_method(method_name, value) def stub_controller_method(method_name, value)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7