Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

4 files changed, 50 insertions, 1 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index 351e7ec94a6..ac21ea32dc2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -791,7 +791,7 @@ GEM
       nenv (~> 0.1)
       shellany (~> 0.0)
     numerizer (0.2.0)
-    oauth (0.5.4)
+    oauth (0.5.6)
     oauth2 (1.4.4)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
diff --git a/app/services/issues/base_service.rb b/app/services/issues/base_service.rb
index 72e906e20f1..dae1e557249 100644
--- a/app/services/issues/base_service.rb
+++ b/app/services/issues/base_service.rb
@@ -47,6 +47,9 @@ module Issues
       params.delete(:created_at) unless moved_issue || current_user.can?(:set_issue_created_at, project)
       params.delete(:updated_at) unless moved_issue || current_user.can?(:set_issue_updated_at, project)
 
+      # Only users with permission to handle error data can add it to issues
+      params.delete(:sentry_issue_attributes) unless current_user.can?(:update_sentry_issue, project)
+
       issue.system_note_timestamp = params[:created_at] || params[:updated_at]
     end
 
diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb
index 9c84242d8ae..f52e86b3f4d 100644
--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -224,6 +224,27 @@ RSpec.describe Issues::CreateService do
         end
       end
 
+      context 'when sentry identifier is given' do
+        before do
+          sentry_attributes = { sentry_issue_attributes: { sentry_issue_identifier: 42 } }
+          opts.merge!(sentry_attributes)
+        end
+
+        context 'user is a guest' do
+          before do
+            project.add_guest(user)
+          end
+
+          it 'does not assign the sentry error' do
+            expect(issue.sentry_issue).to eq(nil)
+          end
+        end
+
+        it 'assigns the sentry error' do
+          expect(issue.sentry_issue).to be_kind_of(SentryIssue)
+        end
+      end
+
       it 'executes issue hooks when issue is not confidential' do
         opts = { title: 'Title', description: 'Description', confidential: false }
 
diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb
index 8c97dd95ced..7f31e8466cd 100644
--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -82,6 +82,31 @@ RSpec.describe Issues::UpdateService, :mailer do
         expect(issue.milestone).to eq milestone
       end
 
+      context 'when sentry identifier is given' do
+        before do
+          sentry_attributes = { sentry_issue_attributes: { sentry_issue_identifier: 42 } }
+          opts.merge!(sentry_attributes)
+        end
+
+        it 'assigns the sentry error' do
+          update_issue(opts)
+
+          expect(issue.sentry_issue).to be_kind_of(SentryIssue)
+        end
+
+        context 'user is a guest' do
+          before do
+            project.add_guest(user)
+          end
+
+          it 'does not assign the sentry error' do
+            update_issue(opts)
+
+            expect(issue.sentry_issue).to eq(nil)
+          end
+        end
+      end
+
       context 'when issue type is not incident' do
         it 'returns default severity' do
           update_issue(opts)