diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:23:45 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:23:45 +0000 |
| commit | 5ba20d39ca1d7968182abe3b0c36b2fa0fcdae20 (patch) | |
| tree | 4b5d19f83ee9bec930e4c7c2dca98065a2c2acdf | |
| parent | f44d4b3d5c2fb3903a9cc40bc7d72972242f0c57 (diff) | |
| parent | a8496ae91e09a0d21415b4057dbe2b390bc90a5c (diff) | |
| download | gitlab-ce-5ba20d39ca1d7968182abe3b0c36b2fa0fcdae20.tar.gz | |
Merge branch 'security-2798-fix-boards-policy-11-8' into '11-8-stable'
Disable issue board policies when issues are disabled
See merge request gitlab/gitlabhq!2910
| -rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-2798-fix-boards-policy.yml | 5 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 20 |
3 files changed, 19 insertions, 8 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index cadbc5ae009..a8270442ea9 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy rule { issues_disabled }.policy do prevent(*create_read_update_admin_destroy(:issue)) + prevent(*create_read_update_admin_destroy(:board)) + prevent(*create_read_update_admin_destroy(:list)) end rule { merge_requests_disabled | repository_disabled }.policy do diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml new file mode 100644 index 00000000000..10e8ac3a787 --- /dev/null +++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml @@ -0,0 +1,5 @@ +--- +title: Disable issue boards API when issues are disabled +merge_request: +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 93a468f585b..f8d581ef38f 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -130,22 +130,26 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } context 'when the feature is disabled' do - it 'does not include the issues permissions' do + before do project.issues_enabled = false project.save! + end + it 'does not include the issues permissions' do expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue end - end - context 'when the feature is disabled and external tracker configured' do - it 'does not include the issues permissions' do - create(:jira_service, project: project) + it 'disables boards and lists permissions' do + expect_disallowed :read_board, :create_board, :update_board, :admin_board + expect_disallowed :read_list, :create_list, :update_list, :admin_list + end - project.issues_enabled = false - project.save! + context 'when external tracker configured' do + it 'does not include the issues permissions' do + create(:jira_service, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + end end end end |