diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-31 11:45:01 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-31 11:45:27 +0000 |
| commit | 185d6a2578f64ffafd80bea5314915811a54486a (patch) | |
| tree | 90d435f1c353da19b799046f66aa7abbf1bd778d | |
| parent | 4530f5d0bdc9b2f60eed2146eaf1b6f35fc53b0e (diff) | |
| download | gitlab-ce-185d6a2578f64ffafd80bea5314915811a54486a.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee
| -rw-r--r-- | lib/api/lint.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/current_settings.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/current_settings_spec.rb | 36 | ||||
| -rw-r--r-- | spec/requests/api/lint_spec.rb | 28 |
4 files changed, 68 insertions, 2 deletions
diff --git a/lib/api/lint.rb b/lib/api/lint.rb index e0806674c6a..945cdf3edb2 100644 --- a/lib/api/lint.rb +++ b/lib/api/lint.rb @@ -11,7 +11,7 @@ module API optional :include_merged_yaml, type: Boolean, desc: 'Whether or not to include merged CI config yaml in the response' end post '/lint' do - unauthorized! if Gitlab::CurrentSettings.signup_disabled? && current_user.nil? + unauthorized! if (Gitlab::CurrentSettings.signup_disabled? || Gitlab::CurrentSettings.signup_limited?) && current_user.nil? result = Gitlab::Ci::YamlProcessor.new(params[:content], user: current_user).execute diff --git a/lib/gitlab/current_settings.rb b/lib/gitlab/current_settings.rb index 7f55734f796..e7ffeeb9849 100644 --- a/lib/gitlab/current_settings.rb +++ b/lib/gitlab/current_settings.rb @@ -7,6 +7,10 @@ module Gitlab !signup_enabled? end + def signup_limited? + domain_allowlist.present? || email_restrictions_enabled? || require_admin_approval_after_user_signup? + end + def current_application_settings Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! } end diff --git a/spec/lib/gitlab/current_settings_spec.rb b/spec/lib/gitlab/current_settings_spec.rb index f5cb1987c5c..a5ab1047a40 100644 --- a/spec/lib/gitlab/current_settings_spec.rb +++ b/spec/lib/gitlab/current_settings_spec.rb @@ -24,6 +24,42 @@ RSpec.describe Gitlab::CurrentSettings do end end + describe '.signup_limited?' do + subject { described_class.signup_limited? } + + context 'when there are allowed domains' do + before do + create(:application_setting, domain_allowlist: ['www.gitlab.com']) + end + + it { is_expected.to be_truthy } + end + + context 'when there are email restrictions' do + before do + create(:application_setting, email_restrictions_enabled: true) + end + + it { is_expected.to be_truthy } + end + + context 'when the admin has to approve signups' do + before do + create(:application_setting, require_admin_approval_after_user_signup: true) + end + + it { is_expected.to be_truthy } + end + + context 'when there are no restrictions' do + before do + create(:application_setting, domain_allowlist: [], email_restrictions_enabled: false, require_admin_approval_after_user_signup: false) + end + + it { is_expected.to be_falsey } + end + end + describe '.signup_disabled?' do subject { described_class.signup_disabled? } diff --git a/spec/requests/api/lint_spec.rb b/spec/requests/api/lint_spec.rb index f26236e0253..57aa0f36192 100644 --- a/spec/requests/api/lint_spec.rb +++ b/spec/requests/api/lint_spec.rb @@ -27,9 +27,10 @@ RSpec.describe API::Lint do end end - context 'when signup settings are enabled' do + context 'when signup is enabled and not limited' do before do Gitlab::CurrentSettings.signup_enabled = true + stub_application_setting(domain_allowlist: [], email_restrictions_enabled: false, require_admin_approval_after_user_signup: false) end context 'when unauthenticated' do @@ -50,6 +51,31 @@ RSpec.describe API::Lint do end end + context 'when limited signup is enabled' do + before do + stub_application_setting(domain_allowlist: ['www.gitlab.com']) + Gitlab::CurrentSettings.signup_enabled = true + end + + context 'when unauthenticated' do + it 'returns unauthorized' do + post api('/ci/lint'), params: { content: 'content' } + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + + context 'when authenticated' do + let_it_be(:api_user) { create(:user) } + + it 'returns authentication success' do + post api('/ci/lint', api_user), params: { content: 'content' } + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + context 'when authenticated' do let_it_be(:api_user) { create(:user) } |