diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:43:55 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:43:55 +0000 |
commit | 2f0050fba988353109d216c2e89b475e04ca6f49 (patch) | |
tree | abe02a925c58e261b9fefe471e4748cc73f67c69 | |
parent | 90e223353182e9288a0507bee7d0b1c9394fa0b7 (diff) | |
parent | 81fee3617ab9005aa07d31308630e17330b8fd8b (diff) | |
download | gitlab-ce-2f0050fba988353109d216c2e89b475e04ca6f49.tar.gz |
Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'
[master] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2771
-rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 12 |
3 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index a88cc4acccb..95ae85ed60c 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -393,7 +393,7 @@ class ProjectPolicy < BasePolicy end.enable :read_issue_iid rule do - (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) + (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) end.enable :read_merge_request_iid rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 7d567a67a41..6c854bab5a5 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -12,7 +12,7 @@ describe ProjectPolicy do let(:base_guest_permissions) do %i[ read_project read_board read_list read_wiki read_issue - read_project_for_iids read_issue_iid read_merge_request_iid read_label + read_project_for_iids read_issue_iid read_label read_milestone read_project_snippet read_project_member read_note create_project create_issue create_note upload_file create_merge_request_in award_emoji read_release @@ -164,6 +164,16 @@ describe ProjectPolicy do end end + context 'for a guest in a private project' do + let(:project) { create(:project, :private) } + subject { described_class.new(guest, project) } + + it 'disallows the guest from reading the merge request and merge request iid' do + expect_disallowed(:read_merge_request) + expect_disallowed(:read_merge_request_iid) + end + end + context 'builds feature' do subject { described_class.new(owner, project) } |