diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:50:25 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:50:28 +0000 |
commit | 6aa48a51e40525d4815397fa458bf1eecd653b80 (patch) | |
tree | 3e894a595fc57eda327f0785ee301867dcbd1185 | |
parent | a8cd5f279b3656ad2a53b4744a19bd25d876a5cb (diff) | |
download | gitlab-ce-6aa48a51e40525d4815397fa458bf1eecd653b80.tar.gz |
Merge branch '11-7-security-do-not-process-mr-ref-for-guests' into 'security-11-7'
[11.7] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2780
(cherry picked from commit f97d526d0837476eccbf6178bfebf1ed01c652eb)
e9793936 Don't process MR refs for guests in the notes
-rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 12 |
3 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bcba03596f2..cadbc5ae009 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -405,7 +405,7 @@ class ProjectPolicy < BasePolicy end.enable :read_issue_iid rule do - (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) + (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) end.enable :read_merge_request_iid rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a8d1f00a53f..49226a01846 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -12,7 +12,7 @@ describe ProjectPolicy do let(:base_guest_permissions) do %i[ read_project read_board read_list read_wiki read_issue - read_project_for_iids read_issue_iid read_merge_request_iid read_label + read_project_for_iids read_issue_iid read_label read_milestone read_project_snippet read_project_member read_note create_project create_issue create_note upload_file create_merge_request_in award_emoji read_release @@ -164,6 +164,16 @@ describe ProjectPolicy do end end + context 'for a guest in a private project' do + let(:project) { create(:project, :private) } + subject { described_class.new(guest, project) } + + it 'disallows the guest from reading the merge request and merge request iid' do + expect_disallowed(:read_merge_request) + expect_disallowed(:read_merge_request_iid) + end + end + context 'builds feature' do context 'when builds are disabled' do subject { described_class.new(owner, project) } |