Merge branch '12425-permissions' into 'master'

Add authorization for Dependencies Controller See merge request gitlab-org/gitlab-ee!14867

Merge branch '12425-permissions' into 'master'
Add authorization for Dependencies Controller See merge request gitlab-org/gitlab-ee!14867
8dba8760 · James Lopez · d680fd3e · 4f7281c3 · 8dba8760 · 8dba8760
Commit 8dba8760 authored Jul 30, 2019 by James Lopez
3 changed files
--- a/ee/app/controllers/projects/security/dependencies_controller.rb
+++ b/ee/app/controllers/projects/security/dependencies_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class DependenciesController < Projects::ApplicationController
+      before_action :authorize_read_dependency_list!
      before_action :ensure_dependency_list_feature_available
      def index
@@ -31,6 +32,10 @@ module Projects
        ::Gitlab::DependenciesCollection.new(found_dependencies)
      end
+      def authorize_read_dependency_list!
+        return render_403 unless can?(current_user, :read_project_security_dashboard, project)
+      end
      def ensure_dependency_list_feature_available
        render_404 unless project.feature_available?(:dependency_list)
      end

--- a/ee/changelogs/unreleased/12425-permissions.yml
+++ b/ee/changelogs/unreleased/12425-permissions.yml
+---
+title: Add authorization to the dependency list
+merge_request: 14867
+author:
+type: added
--- a/ee/spec/controllers/projects/security/dependencies_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/dependencies_controller_spec.rb
@@ -9,17 +9,17 @@ describe Projects::Security::DependenciesController do
    let(:params) { { namespace_id: project.namespace, project_id: project } }
    before do
-      project.add_developer(user)
+      sign_in(user)
    end
    context 'with authorized user' do
      before do
-        sign_in(user)
+        project.add_developer(user)
      end
      context 'when feature is available' do
        before do
-          stub_licensed_features(dependency_list: true)
+          stub_licensed_features(dependency_list: true, security_dashboard: true)
        end
        it 'counts usage of the feature' do
@@ -135,6 +135,8 @@ describe Projects::Security::DependenciesController do
      context 'when feature is not available' do
        before do
+          stub_licensed_features(security_dashboard: true)
          get :index, params: params, format: :json
        end
@@ -146,11 +148,13 @@ describe Projects::Security::DependenciesController do
    context 'with unauthorized user' do
      before do
+        project.add_guest(user)
        get :index, params: params, format: :json
      end
-      it 'returns 404' do
+      it 'returns 403' do
-        expect(response).to have_gitlab_http_status(404)
+        expect(response).to have_gitlab_http_status(403)
      end
    end
  end