diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-30 12:09:15 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-30 12:09:15 +0000 |
| commit | 0b03a22cc9a13d31c3b4bfa114003b87f762fd5a (patch) | |
| tree | d01a8c70afe8f45b6a787f252f90f594fe9d0f81 | |
| parent | 1cf04dc4ca917afc1989d25906d77f2a8df83991 (diff) | |
| download | gitlab-ce-0b03a22cc9a13d31c3b4bfa114003b87f762fd5a.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee
| -rw-r--r-- | app/policies/concerns/readonly_abilities.rb | 1 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
| -rw-r--r-- | app/services/issues/base_service.rb | 7 | ||||
| -rw-r--r-- | app/services/issues/build_service.rb | 21 | ||||
| -rw-r--r-- | locale/gitlab.pot | 3 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 4 | ||||
| -rw-r--r-- | spec/services/issues/build_service_spec.rb | 6 | ||||
| -rw-r--r-- | spec/support/shared_contexts/policies/project_policy_shared_context.rb | 2 | ||||
| -rw-r--r-- | spec/support/shared_examples/policies/project_policy_shared_examples.rb | 2 |
9 files changed, 26 insertions, 22 deletions
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb index 0303d4cff14..730da7581ad 100644 --- a/app/policies/concerns/readonly_abilities.rb +++ b/app/policies/concerns/readonly_abilities.rb @@ -13,6 +13,7 @@ module ReadonlyAbilities create_merge_request_from create_merge_request_in award_emoji + create_incident ].freeze READONLY_FEATURES = %i[ diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index c577c8c8471..ebff7d0a2ae 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -226,6 +226,8 @@ class ProjectPolicy < BasePolicy enable :read_insights end + rule { can?(:guest_access) & can?(:create_issue) }.enable :create_incident + # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. rule { guest & can?(:download_code) }.enable :build_download_code diff --git a/app/services/issues/base_service.rb b/app/services/issues/base_service.rb index 07e4a10708e..cdd9acfdf60 100644 --- a/app/services/issues/base_service.rb +++ b/app/services/issues/base_service.rb @@ -37,6 +37,8 @@ module Issues def filter_params(issue) super + params.delete(:issue_type) unless issue_type_allowed?(issue) + moved_issue = params.delete(:moved_issue) # Setting created_at, updated_at and iid is allowed only for admins and owners or @@ -75,6 +77,11 @@ module Issues Milestones::IssuesCountService.new(milestone).delete_cache end + + # @param object [Issue, Project] + def issue_type_allowed?(object) + can?(current_user, :"create_#{params[:issue_type]}", object) + end end end diff --git a/app/services/issues/build_service.rb b/app/services/issues/build_service.rb index 3145739fe91..c975cbebfd5 100644 --- a/app/services/issues/build_service.rb +++ b/app/services/issues/build_service.rb @@ -64,20 +64,17 @@ module Issues private - def allowed_issue_base_params - [:title, :description, :confidential, :issue_type] - end + def allowed_issue_params + allowed_params = [ + :title, + :description, + :confidential + ] - def allowed_issue_admin_params - [:milestone_id] - end + allowed_params << :milestone_id if can?(current_user, :admin_issue, project) + allowed_params << :issue_type if issue_type_allowed?(project) - def allowed_issue_params - if can?(current_user, :admin_issue, project) - params.slice(*(allowed_issue_base_params + allowed_issue_admin_params)) - else - params.slice(*allowed_issue_base_params) - end + params.slice(*allowed_params) end def build_issue_params diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 208eb2086f1..fbb9ca4b812 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -30898,9 +30898,6 @@ msgstr "" msgid "Test Cases" msgstr "" -msgid "Test cases are not available for this project" -msgstr "" - msgid "Test coverage parsing" msgstr "" diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index f2c941080b5..750119a1079 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -60,7 +60,7 @@ RSpec.describe ProjectPolicy do end it 'does not include the issues permissions' do - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident end it 'disables boards and lists permissions' do @@ -72,7 +72,7 @@ RSpec.describe ProjectPolicy do it 'does not include the issues permissions' do create(:jira_service, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident end end end diff --git a/spec/services/issues/build_service_spec.rb b/spec/services/issues/build_service_spec.rb index 80fe2474ecd..4b3668bdb42 100644 --- a/spec/services/issues/build_service_spec.rb +++ b/spec/services/issues/build_service_spec.rb @@ -184,9 +184,9 @@ RSpec.describe Issues::BuildService do end it 'cannot set invalid type' do - expect do - build_issue(issue_type: 'invalid type') - end.to raise_error(ArgumentError, "'invalid type' is not a valid issue_type") + issue = build_issue(issue_type: 'invalid type') + + expect(issue).to be_issue end end end diff --git a/spec/support/shared_contexts/policies/project_policy_shared_context.rb b/spec/support/shared_contexts/policies/project_policy_shared_context.rb index 266c8d5ee84..35dc709b5d9 100644 --- a/spec/support/shared_contexts/policies/project_policy_shared_context.rb +++ b/spec/support/shared_contexts/policies/project_policy_shared_context.rb @@ -15,7 +15,7 @@ RSpec.shared_context 'ProjectPolicy context' do let(:base_guest_permissions) do %i[ - award_emoji create_issue create_merge_request_in create_note + award_emoji create_issue create_incident create_merge_request_in create_note create_project read_issue_board read_issue read_issue_iid read_issue_link read_label read_issue_board_list read_milestone read_note read_project read_project_for_iids read_project_member read_release read_snippet diff --git a/spec/support/shared_examples/policies/project_policy_shared_examples.rb b/spec/support/shared_examples/policies/project_policy_shared_examples.rb index d05e5eb9120..013c9b61b99 100644 --- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb +++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb @@ -57,7 +57,7 @@ RSpec.shared_examples 'project policies as anonymous' do context 'when a project has pending invites' do let(:group) { create(:group, :public) } let(:project) { create(:project, :public, namespace: group) } - let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] } + let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji, :create_incident] } let(:anonymous_permissions) { guest_permissions - user_permissions } let(:current_user) { anonymous } |