Merge branch 'security-327062-jira-connect-app-conditions' into 'master'

Prevent non-admins from configuring Jira connect app See merge request gitlab-org/security/gitlab!1577

Merge branch 'security-327062-jira-connect-app-conditions' into 'master'
Prevent non-admins from configuring Jira connect app See merge request gitlab-org/security/gitlab!1577
cf2e0460 · Henri Philipps · 09d16635 · 36b00195 · cf2e0460 · cf2e0460
Commit cf2e0460 authored Aug 31, 2021 by Henri Philipps
2 changed files
--- a/app/controllers/jira_connect/app_descriptor_controller.rb
+++ b/app/controllers/jira_connect/app_descriptor_controller.rb
@@ -47,7 +47,13 @@ class JiraConnect::AppDescriptorController < JiraConnect::ApplicationController
      postInstallPage: {
        key: 'gitlab-configuration',
        name: { value: 'GitLab Configuration' },
-        url: relative_to_base_path(jira_connect_subscriptions_path)
+        url: relative_to_base_path(jira_connect_subscriptions_path),
+        conditions: [
+          {
+            condition: 'user_is_admin',
+            invert: false
+          }
+        ]
      }
    }


--- a/spec/controllers/jira_connect/app_descriptor_controller_spec.rb
+++ b/spec/controllers/jira_connect/app_descriptor_controller_spec.rb
@@ -54,7 +54,10 @@ RSpec.describe JiraConnect::AppDescriptorController do
        postInstallPage: {
          key: 'gitlab-configuration',
          name: { value: 'GitLab Configuration' },
-          url: '/subscriptions'
+          url: '/subscriptions',
+          conditions: contain_exactly(
+            a_hash_including(condition: 'user_is_admin', invert: false)
+          )
        },
        jiraDevelopmentTool: {
          actions: {