diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:26:36 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:26:36 +0000 |
| commit | dadf501093010f76eda6fdc496ad8c3302a32892 (patch) | |
| tree | 261e1dc4ab71b41c9d92b4aa5e17cd87ebceedd9 | |
| parent | 763dabacf328ca4f8f1ca50ec7e2e86e653eff6c (diff) | |
| download | gitlab-ce-dadf501093010f76eda6fdc496ad8c3302a32892.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
| -rw-r--r-- | app/policies/ci/build_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 4 | ||||
| -rw-r--r-- | app/services/members/import_project_team_service.rb | 2 | ||||
| -rw-r--r-- | doc/api/scim.md | 14 | ||||
| -rw-r--r-- | spec/controllers/projects/jobs_controller_spec.rb | 8 | ||||
| -rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 48 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 30 |
7 files changed, 95 insertions, 13 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 6162a31c118..f377ff85b5e 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -84,7 +84,7 @@ module Ci enable :update_commit_status end - rule { can?(:update_build) & terminal }.enable :create_build_terminal + rule { can?(:update_build) & terminal & owner_of_job }.enable :create_build_terminal rule { can?(:update_build) }.enable :play_job diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 68b288bdc87..493afd91364 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -748,6 +748,10 @@ class ProjectPolicy < BasePolicy prevent :register_project_runners end + rule { can?(:admin_project_member) }.policy do + enable :import_project_members_from_another_project + end + private def user_is_user? diff --git a/app/services/members/import_project_team_service.rb b/app/services/members/import_project_team_service.rb index 5f4d5414cfa..6efd65e2575 100644 --- a/app/services/members/import_project_team_service.rb +++ b/app/services/members/import_project_team_service.rb @@ -29,7 +29,7 @@ module Members def import_project_team return false unless target_project.present? && source_project.present? && current_user.present? return false unless can?(current_user, :read_project_member, source_project) - return false unless can?(current_user, :admin_project_member, target_project) + return false unless can?(current_user, :import_project_members_from_another_project, target_project) target_project.team.import(source_project, current_user) end diff --git a/doc/api/scim.md b/doc/api/scim.md index ab3a181f5be..9c88997b94c 100644 --- a/doc/api/scim.md +++ b/doc/api/scim.md @@ -170,13 +170,13 @@ Returns a `201` status code if successful. Fields that can be updated are: -| SCIM/IdP field | GitLab field | -|:---------------------------------|:---------------------------------------| -| `id/externalId` | `extern_uid` | -| `name.formatted` | `name` | -| `emails\[type eq "work"\].value` | `email` | -| `active` | Identity removal if `active` = `false` | -| `userName` | `username` | +| SCIM/IdP field | GitLab field | +|:---------------------------------|:-----------------------------------------------------------------------------| +| `id/externalId` | `extern_uid` | +| `name.formatted` | `name` ([Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/363058)) | +| `emails\[type eq "work"\].value` | `email` ([Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/363058)) | +| `active` | Identity removal if `active` = `false` | +| `userName` | `username` ([Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/363058)) | ```plaintext PATCH /api/scim/v2/groups/:group_path/Users/:id diff --git a/spec/controllers/projects/jobs_controller_spec.rb b/spec/controllers/projects/jobs_controller_spec.rb index e9f1232b5e7..d985b6cf2f7 100644 --- a/spec/controllers/projects/jobs_controller_spec.rb +++ b/spec/controllers/projects/jobs_controller_spec.rb @@ -183,7 +183,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do end context 'with web terminal' do - let(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } + let(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) } it 'exposes the terminal path' do expect(response).to have_gitlab_http_status(:ok) @@ -1284,7 +1284,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do context 'when job exists' do context 'and it has a terminal' do - let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } + let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) } it 'has a job' do get_terminal(id: job.id) @@ -1295,7 +1295,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do end context 'and does not have a terminal' do - let!(:job) { create(:ci_build, :running, pipeline: pipeline) } + let!(:job) { create(:ci_build, :running, pipeline: pipeline, user: user) } it 'returns not_found' do get_terminal(id: job.id) @@ -1324,7 +1324,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do end describe 'GET #terminal_websocket_authorize' do - let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } + let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) } before do project.add_developer(user) diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index 1ec749fb394..fee4d76ca8f 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -405,4 +405,52 @@ RSpec.describe Ci::BuildPolicy do end end end + + describe 'ability :create_build_terminal' do + let(:project) { create(:project, :private) } + + subject { described_class.new(user, build) } + + context 'when user can update_build' do + before do + project.add_maintainer(user) + end + + context 'when job has terminal' do + before do + allow(build).to receive(:has_terminal?).and_return(true) + end + + context 'when current user is the job owner' do + before do + build.update!(user: user) + end + + it { expect_allowed(:create_build_terminal) } + end + + context 'when current user is not the job owner' do + it { expect_disallowed(:create_build_terminal) } + end + end + + context 'when job does not have terminal' do + before do + allow(build).to receive(:has_terminal?).and_return(false) + build.update!(user: user) + end + + it { expect_disallowed(:create_build_terminal) } + end + end + + context 'when user cannot update build' do + before do + project.add_guest(user) + allow(build).to receive(:has_terminal?).and_return(true) + end + + it { expect_disallowed(:create_build_terminal) } + end + end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index ca4ca2eb7a0..b77ccb83509 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -396,6 +396,36 @@ RSpec.describe ProjectPolicy do end end + context 'importing members from another project' do + %w(maintainer owner).each do |role| + context "with #{role}" do + let(:current_user) { send(role) } + + it { is_expected.to be_allowed(:import_project_members_from_another_project) } + end + end + + %w(guest reporter developer anonymous).each do |role| + context "with #{role}" do + let(:current_user) { send(role) } + + it { is_expected.to be_disallowed(:import_project_members_from_another_project) } + end + end + + context 'with an admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:import_project_members_from_another_project) } + end + + context 'when admin mode is disabled' do + it { expect_disallowed(:import_project_members_from_another_project) } + end + end + end + context 'reading usage quotas' do %w(maintainer owner).each do |role| context "with #{role}" do |