diff options
| author | Heinrich Lee Yu <heinrich@gitlab.com> | 2019-02-11 18:51:53 +0800 |
|---|---|---|
| committer | Heinrich Lee Yu <heinrich@gitlab.com> | 2019-02-14 14:34:04 +0800 |
| commit | bc5edd5c6e08a38265c73b9e27105bbdd7dd458f (patch) | |
| tree | f0c4aa8e89b083f5d66d1461b16d6c2d5cc76b1f | |
| parent | c46c62c51316da73724848b5f0dcb5aba82475e2 (diff) | |
| download | gitlab-ce-bc5edd5c6e08a38265c73b9e27105bbdd7dd458f.tar.gz | |
Disable board policies when issues are disabled
Board list policies are also included
| -rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-2798-fix-boards-policy.yml | 5 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 20 |
3 files changed, 19 insertions, 8 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index d1d1737dc22..9a5f8e8983f 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -286,6 +286,8 @@ class ProjectPolicy < BasePolicy rule { issues_disabled }.policy do prevent(*create_read_update_admin_destroy(:issue)) + prevent(*create_read_update_admin_destroy(:board)) + prevent(*create_read_update_admin_destroy(:list)) end rule { merge_requests_disabled | repository_disabled }.policy do diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml new file mode 100644 index 00000000000..10e8ac3a787 --- /dev/null +++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml @@ -0,0 +1,5 @@ +--- +title: Disable issue boards API when issues are disabled +merge_request: +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 8dc320737aa..af9c42a6d01 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -130,22 +130,26 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } context 'when the feature is disabled' do - it 'does not include the issues permissions' do + before do project.issues_enabled = false project.save! + end + it 'does not include the issues permissions' do expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue end - end - context 'when the feature is disabled and external tracker configured' do - it 'does not include the issues permissions' do - create(:jira_service, project: project) + it 'disables boards and lists permissions' do + expect_disallowed :read_board, :create_board, :update_board, :admin_board + expect_disallowed :read_list, :create_list, :update_list, :admin_list + end - project.issues_enabled = false - project.save! + context 'when external tracker configured' do + it 'does not include the issues permissions' do + create(:jira_service, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + end end end end |