Commit 930282ec authored by Sean McGivern's avatar Sean McGivern

Merge branch 'rp-remove-read-environments-for-dashboard-apis' into 'master'

Do not check read_environments for metrics dashboard APIs

See merge request gitlab-org/gitlab!32422
parents 9c851d6d 3e25fb46
...@@ -10,7 +10,7 @@ class Projects::EnvironmentsController < Projects::ApplicationController ...@@ -10,7 +10,7 @@ class Projects::EnvironmentsController < Projects::ApplicationController
push_frontend_feature_flag(:prometheus_computed_alerts) push_frontend_feature_flag(:prometheus_computed_alerts)
end end
before_action :authorize_read_environment! before_action :authorize_read_environment!, except: [:metrics, :additional_metrics, :metrics_dashboard, :metrics_redirect]
before_action :authorize_create_environment!, only: [:new, :create] before_action :authorize_create_environment!, only: [:new, :create]
before_action :authorize_stop_environment!, only: [:stop] before_action :authorize_stop_environment!, only: [:stop]
before_action :authorize_update_environment!, only: [:edit, :update, :cancel_auto_stop] before_action :authorize_update_environment!, only: [:edit, :update, :cancel_auto_stop]
......
...@@ -410,7 +410,7 @@ module ProjectsHelper ...@@ -410,7 +410,7 @@ module ProjectsHelper
nav_tabs << :pipelines nav_tabs << :pipelines
end end
if can?(current_user, :read_environment, project) || can?(current_user, :read_cluster, project) if can_view_operations_tab?(current_user, project)
nav_tabs << :operations nav_tabs << :operations
end end
...@@ -439,6 +439,7 @@ module ProjectsHelper ...@@ -439,6 +439,7 @@ module ProjectsHelper
def tab_ability_map def tab_ability_map
{ {
environments: :read_environment, environments: :read_environment,
metrics_dashboards: :metrics_dashboard,
milestones: :read_milestone, milestones: :read_milestone,
snippets: :read_snippet, snippets: :read_snippet,
settings: :admin_project, settings: :admin_project,
...@@ -454,6 +455,12 @@ module ProjectsHelper ...@@ -454,6 +455,12 @@ module ProjectsHelper
} }
end end
def can_view_operations_tab?(current_user, project)
[:read_environment, :read_cluster, :metrics_dashboard].any? do |ability|
can?(current_user, ability, project)
end
end
def search_tab_ability_map def search_tab_ability_map
@search_tab_ability_map ||= tab_ability_map.merge( @search_tab_ability_map ||= tab_ability_map.merge(
blobs: :download_code, blobs: :download_code,
......
...@@ -278,7 +278,6 @@ class ProjectPolicy < BasePolicy ...@@ -278,7 +278,6 @@ class ProjectPolicy < BasePolicy
rule { can?(:metrics_dashboard) }.policy do rule { can?(:metrics_dashboard) }.policy do
enable :read_prometheus enable :read_prometheus
enable :read_environment
enable :read_deployment enable :read_deployment
end end
...@@ -429,27 +428,11 @@ class ProjectPolicy < BasePolicy ...@@ -429,27 +428,11 @@ class ProjectPolicy < BasePolicy
rule { builds_disabled | repository_disabled }.policy do rule { builds_disabled | repository_disabled }.policy do
prevent(*create_read_update_admin_destroy(:build)) prevent(*create_read_update_admin_destroy(:build))
prevent(*create_read_update_admin_destroy(:pipeline_schedule)) prevent(*create_read_update_admin_destroy(:pipeline_schedule))
prevent(*create_read_update_admin_destroy(:environment))
prevent(*create_read_update_admin_destroy(:cluster)) prevent(*create_read_update_admin_destroy(:cluster))
prevent(*create_read_update_admin_destroy(:deployment)) prevent(*create_read_update_admin_destroy(:deployment))
end end
# Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is
# necessary due to the route for metrics dashboard requiring an environment id.
# This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when
# environments and metrics are decoupled and these rules will be removed.
rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do
prevent(*create_read_update_admin_destroy(:environment))
end
rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do
prevent :create_environment
prevent :update_environment
prevent :admin_environment
prevent :destroy_environment
enable :read_environment
end
# There's two separate cases when builds_disabled is true: # There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
# - We do not prevent the user from accessing Pipelines to allow them to access external CI # - We do not prevent the user from accessing Pipelines to allow them to access external CI
......
...@@ -216,7 +216,7 @@ ...@@ -216,7 +216,7 @@
= _('Operations') = _('Operations')
%li.divider.fly-out-top-item %li.divider.fly-out-top-item
- if project_nav_tab? :environments - if project_nav_tab? :metrics_dashboards
= nav_link(controller: :environments, action: [:metrics, :metrics_redirect]) do = nav_link(controller: :environments, action: [:metrics, :metrics_redirect]) do
= link_to metrics_project_environments_path(@project), title: _('Metrics'), class: 'shortcuts-metrics', data: { qa_selector: 'operations_metrics_link' } do = link_to metrics_project_environments_path(@project), title: _('Metrics'), class: 'shortcuts-metrics', data: { qa_selector: 'operations_metrics_link' } do
%span %span
......
...@@ -354,6 +354,19 @@ describe Projects::EnvironmentsController do ...@@ -354,6 +354,19 @@ describe Projects::EnvironmentsController do
expect(response).to redirect_to(environment_metrics_path(environment)) expect(response).to redirect_to(environment_metrics_path(environment))
end end
context 'with anonymous user and public dashboard visibility' do
let(:project) { create(:project, :public) }
let(:user) { create(:user) }
it 'redirects successfully' do
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
get :metrics_redirect, params: { namespace_id: project.namespace, project_id: project }
expect(response).to redirect_to(environment_metrics_path(environment))
end
end
context 'when there are no environments' do context 'when there are no environments' do
let(:environment) { } let(:environment) { }
...@@ -422,6 +435,19 @@ describe Projects::EnvironmentsController do ...@@ -422,6 +435,19 @@ describe Projects::EnvironmentsController do
get :metrics, params: environment_params get :metrics, params: environment_params
end end
end end
context 'with anonymous user and public dashboard visibility' do
let(:project) { create(:project, :public) }
let(:user) { create(:user) }
it 'returns success' do
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
get :metrics, params: environment_params
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
describe 'GET #additional_metrics' do describe 'GET #additional_metrics' do
...@@ -497,6 +523,26 @@ describe Projects::EnvironmentsController do ...@@ -497,6 +523,26 @@ describe Projects::EnvironmentsController do
get :metrics, params: environment_params get :metrics, params: environment_params
end end
end end
context 'with anonymous user and public dashboard visibility' do
let(:project) { create(:project, :public) }
let(:user) { create(:user) }
it 'does not fail' do
allow(environment)
.to receive(:additional_metrics)
.and_return({
success: true,
data: {},
last_update: 42
})
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
additional_metrics(window_params)
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
describe 'GET #metrics_dashboard' do describe 'GET #metrics_dashboard' do
...@@ -673,6 +719,17 @@ describe Projects::EnvironmentsController do ...@@ -673,6 +719,17 @@ describe Projects::EnvironmentsController do
it_behaves_like 'dashboard can be specified' it_behaves_like 'dashboard can be specified'
it_behaves_like 'dashboard can be embedded' it_behaves_like 'dashboard can be embedded'
context 'with anonymous user and public dashboard visibility' do
let(:project) { create(:project, :public) }
let(:user) { create(:user) }
before do
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it_behaves_like 'the default dashboard'
end
context 'permissions' do context 'permissions' do
before do before do
allow(controller).to receive(:can?).and_return true allow(controller).to receive(:can?).and_return true
......
...@@ -5,6 +5,9 @@ require 'spec_helper' ...@@ -5,6 +5,9 @@ require 'spec_helper'
describe ProjectsHelper do describe ProjectsHelper do
include ProjectForksHelper include ProjectForksHelper
let_it_be(:project) { create(:project) }
let_it_be(:user) { create(:user) }
describe '#project_incident_management_setting' do describe '#project_incident_management_setting' do
let(:project) { create(:project) } let(:project) { create(:project) }
...@@ -500,6 +503,23 @@ describe ProjectsHelper do ...@@ -500,6 +503,23 @@ describe ProjectsHelper do
end end
end end
describe '#can_view_operations_tab?' do
before do
allow(helper).to receive(:current_user).and_return(user)
end
subject { helper.send(:can_view_operations_tab?, user, project) }
[:read_environment, :read_cluster, :metrics_dashboard].each do |ability|
it 'includes operations tab' do
allow(helper).to receive(:can?).and_return(false)
allow(helper).to receive(:can?).with(user, ability, project).and_return(true)
is_expected.to be(true)
end
end
end
describe '#show_projects' do describe '#show_projects' do
let(:projects) do let(:projects) do
create(:project) create(:project)
......
...@@ -218,11 +218,6 @@ describe ProjectPolicy do ...@@ -218,11 +218,6 @@ describe ProjectPolicy do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end end
context 'without metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions except pipeline when the feature is disabled' do it 'disallows all permissions except pipeline when the feature is disabled' do
builds_permissions = [ builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
...@@ -236,26 +231,6 @@ describe ProjectPolicy do ...@@ -236,26 +231,6 @@ describe ProjectPolicy do
end end
end end
context 'with metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do
builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
]
expect_disallowed(*builds_permissions)
expect_allowed(:read_environment)
end
end
end
context 'when builds are disabled only for some users' do context 'when builds are disabled only for some users' do
subject { described_class.new(guest, project) } subject { described_class.new(guest, project) }
...@@ -277,16 +252,9 @@ describe ProjectPolicy do ...@@ -277,16 +252,9 @@ describe ProjectPolicy do
context 'repository feature' do context 'repository feature' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
before do it 'disallows all permissions when the feature is disabled' do
project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
end
context 'without metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions when the feature is disabled' do
repository_permissions = [ repository_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
...@@ -301,28 +269,6 @@ describe ProjectPolicy do ...@@ -301,28 +269,6 @@ describe ProjectPolicy do
end end
end end
context 'with metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions when the feature is disabled' do
repository_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release
]
expect_disallowed(*repository_permissions)
expect_allowed(:read_environment)
end
end
end
it_behaves_like 'project policies as anonymous' it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest' it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter' it_behaves_like 'project policies as reporter'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment