Disallow guest users from accessing Releases

As they do not have a permission to read git tag
author: Shinya Maeda <shinya@gitlab.com> 2019-03-22 19:14:39 +0700
committer: Shinya Maeda <shinya@gitlab.com> 2019-03-26 20:56:04 +0700
commit: bdee9e8412dc9fe4925031cb06070de0fb134de3 (patch)
tree: 0a165405c8d43301a83f28b231dc3b34655b78d3
parent: 61b2f70fdcbc8dce7504c6599f57e2db703cc5ae (diff)
download: gitlab-ce-bdee9e8412dc9fe4925031cb06070de0fb134de3.tar.gz
4 files changed, 46 insertions, 3 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 9f9f5230040..e9f4e0b4b41 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
     enable :award_emoji
     enable :read_pages_content
-    enable :read_release
   end
 
   # These abilities are not allowed to admins that are not members of the project,
@@ -203,6 +202,7 @@ class ProjectPolicy < BasePolicy
     enable :read_deployment
     enable :read_merge_request
     enable :read_sentry_issue
+    enable :read_release
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
diff --git a/changelogs/unreleased/disallow-guests-to-access-releases.yml b/changelogs/unreleased/disallow-guests-to-access-releases.yml
new file mode 100644
index 00000000000..f2d518108d2
--- /dev/null
+++ b/changelogs/unreleased/disallow-guests-to-access-releases.yml
@@ -0,0 +1,5 @@
+---
+title: Disallow guest users from accessing Releases
+merge_request:
+author:
+type: security
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 772d1fbee2b..c12c4677af1 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -15,7 +15,7 @@ describe ProjectPolicy do
       read_project_for_iids read_issue_iid read_label
       read_milestone read_project_snippet read_project_member read_note
       create_project create_issue create_note upload_file create_merge_request_in
-      award_emoji read_release
+      award_emoji
     ]
   end
 
@@ -24,7 +24,7 @@ describe ProjectPolicy do
       download_code fork_project create_project_snippet update_issue
       admin_issue admin_label admin_list read_commit_status read_build
       read_container_image read_pipeline read_environment read_deployment
-      read_merge_request download_wiki_code read_sentry_issue
+      read_merge_request download_wiki_code read_sentry_issue read_release
     ]
   end
 
diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
index 1f317971a66..71ec091c42c 100644
--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -4,12 +4,14 @@ describe API::Releases do
   let(:project) { create(:project, :repository, :private) }
   let(:maintainer) { create(:user) }
   let(:reporter) { create(:user) }
+  let(:guest) { create(:user) }
   let(:non_project_member) { create(:user) }
   let(:commit) { create(:commit, project: project) }
 
   before do
     project.add_maintainer(maintainer)
     project.add_reporter(reporter)
+    project.add_guest(guest)
 
     project.repository.add_tag(maintainer, 'v0.1', commit.id)
     project.repository.add_tag(maintainer, 'v0.2', commit.id)
@@ -66,6 +68,24 @@ describe API::Releases do
       end
     end
 
+    context 'when user is a guest' do
+      it 'responds 403 Forbidden' do
+        get api("/projects/#{project.id}/releases", guest)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'responds 200 OK' do
+          get api("/projects/#{project.id}/releases", guest)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
+
     context 'when user is not a project member' do
       it 'cannot find the project' do
         get api("/projects/#{project.id}/releases", non_project_member)
@@ -189,6 +209,24 @@ describe API::Releases do
           end
         end
       end
+
+      context 'when user is a guest' do
+        it 'responds 403 Forbidden' do
+          get api("/projects/#{project.id}/releases/v0.1", guest)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+
+        context 'when project is public' do
+          let(:project) { create(:project, :repository, :public) }
+
+          it 'responds 200 OK' do
+            get api("/projects/#{project.id}/releases/v0.1", guest)
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+      end
     end
 
     context 'when specified tag is not found in the project' do
author	Shinya Maeda <shinya@gitlab.com>	2019-03-22 19:14:39 +0700
committer	Shinya Maeda <shinya@gitlab.com>	2019-03-26 20:56:04 +0700
commit	bdee9e8412dc9fe4925031cb06070de0fb134de3 (patch)
tree	0a165405c8d43301a83f28b231dc3b34655b78d3
parent	61b2f70fdcbc8dce7504c6599f57e2db703cc5ae (diff)
download	gitlab-ce-bdee9e8412dc9fe4925031cb06070de0fb134de3.tar.gz