diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 12:03:36 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 12:03:36 +0000 |
commit | 8f55c567e2da284ea78fabe1994f234bbd7b6023 (patch) | |
tree | 84b709cc9bf53778af3a0e8a40b467fadd91ac2b | |
parent | acd33ab4ff107fc73b9dd310ba65e60bd3119c0b (diff) | |
download | gitlab-ce-8f55c567e2da284ea78fabe1994f234bbd7b6023.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee
-rw-r--r-- | app/controllers/projects/pipelines_controller.rb | 2 | ||||
-rw-r--r-- | app/graphql/resolvers/project_pipeline_statistics_resolver.rb | 4 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 3 | ||||
-rw-r--r-- | lib/sidebars/projects/menus/analytics_menu.rb | 1 | ||||
-rw-r--r-- | spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb | 24 | ||||
-rw-r--r-- | spec/lib/sidebars/projects/menus/analytics_menu_spec.rb | 16 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 53 |
7 files changed, 88 insertions, 15 deletions
diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb index 415a0d66eda..deb1500ceed 100644 --- a/app/controllers/projects/pipelines_controller.rb +++ b/app/controllers/projects/pipelines_controller.rb @@ -9,7 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController before_action :set_pipeline_path, only: [:show] before_action :authorize_read_pipeline! before_action :authorize_read_build!, only: [:index, :show] - before_action :authorize_read_analytics!, only: [:charts] + before_action :authorize_read_ci_cd_analytics!, only: [:charts] before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables] before_action :authorize_update_pipeline!, only: [:retry, :cancel] before_action do diff --git a/app/graphql/resolvers/project_pipeline_statistics_resolver.rb b/app/graphql/resolvers/project_pipeline_statistics_resolver.rb index 29ab9402f5b..79d01b9bf2e 100644 --- a/app/graphql/resolvers/project_pipeline_statistics_resolver.rb +++ b/app/graphql/resolvers/project_pipeline_statistics_resolver.rb @@ -2,8 +2,12 @@ module Resolvers class ProjectPipelineStatisticsResolver < BaseResolver + include Gitlab::Graphql::Authorize::AuthorizeResource type Types::Ci::AnalyticsType, null: true + authorizes_object! + authorize :read_ci_cd_analytics + def resolve weekly_stats = Gitlab::Ci::Charts::WeekChart.new(object) monthly_stats = Gitlab::Ci::Charts::MonthChart.new(object) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 184ed44146f..a9446810e81 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -283,6 +283,7 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics + enable :read_ci_cd_analytics end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -479,6 +480,7 @@ class ProjectPolicy < BasePolicy prevent(:read_insights) prevent(:read_cycle_analytics) prevent(:read_repository_graphs) + prevent(:read_ci_cd_analytics) end rule { wiki_disabled }.policy do @@ -554,6 +556,7 @@ class ProjectPolicy < BasePolicy enable :read_cycle_analytics enable :read_pages_content enable :read_analytics + enable :read_ci_cd_analytics enable :read_insights # NOTE: may be overridden by IssuePolicy diff --git a/lib/sidebars/projects/menus/analytics_menu.rb b/lib/sidebars/projects/menus/analytics_menu.rb index 660965005c3..ea3a25d513e 100644 --- a/lib/sidebars/projects/menus/analytics_menu.rb +++ b/lib/sidebars/projects/menus/analytics_menu.rb @@ -46,6 +46,7 @@ module Sidebars def ci_cd_analytics_menu_item if !context.project.feature_available?(:builds, context.current_user) || !can?(context.current_user, :read_build, context.project) || + !can?(context.current_user, :read_ci_cd_analytics, context.project) || context.project.empty_repo? return ::Sidebars::NilMenuItem.new(item_id: :ci_cd_analytics) end diff --git a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb index c0367f7d42e..ccc861baae5 100644 --- a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb +++ b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb @@ -5,14 +5,24 @@ require 'spec_helper' RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do include GraphqlHelpers - let_it_be(:project) { create(:project) } + let_it_be(:project) { create(:project, :private) } + let_it_be(:guest) { create(:user) } + let_it_be(:reporter) { create(:user) } + + let(:current_user) { reporter } + + before_all do + project.add_guest(guest) + project.add_reporter(reporter) + end specify do expect(described_class).to have_nullable_graphql_type(::Types::Ci::AnalyticsType) end def resolve_statistics(project, args) - resolve(described_class, obj: project, args: args) + ctx = { current_user: current_user } + resolve(described_class, obj: project, args: args, ctx: ctx) end describe '#resolve' do @@ -32,5 +42,15 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do :pipeline_times_values ) end + + context 'when the user does not have access to the CI/CD analytics data' do + let(:current_user) { guest } + + it 'returns nil' do + result = resolve_statistics(project, {}) + + expect(result).to be_nil + end + end end end diff --git a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb index ed94b81520e..9d5f029fff5 100644 --- a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb +++ b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb @@ -4,15 +4,19 @@ require 'spec_helper' RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do let_it_be(:project) { create(:project, :repository) } + let_it_be(:guest) do + create(:user).tap { |u| project.add_guest(u) } + end - let(:user) { project.owner } - let(:context) { Sidebars::Projects::Context.new(current_user: user, container: project, current_ref: project.repository.root_ref) } + let(:owner) { project.owner } + let(:current_user) { owner } + let(:context) { Sidebars::Projects::Context.new(current_user: current_user, container: project, current_ref: project.repository.root_ref) } subject { described_class.new(context) } describe '#render?' do context 'whe user cannot read analytics' do - let(:user) { nil } + let(:current_user) { nil } it 'returns false' do expect(subject.render?).to be false @@ -79,7 +83,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do end describe 'when the user does not have access' do - let(:user) { nil } + let(:current_user) { guest } specify { is_expected.to be_nil } end @@ -99,7 +103,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do end describe 'when the user does not have access' do - let(:user) { nil } + let(:current_user) { nil } specify { is_expected.to be_nil } end @@ -111,7 +115,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do specify { is_expected.not_to be_nil } describe 'when the user does not have access' do - let(:user) { nil } + let(:current_user) { nil } specify { is_expected.to be_nil } end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 8f3cac205be..a94c3748e7d 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1130,12 +1130,20 @@ RSpec.describe ProjectPolicy do let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) } before do + project_with_analytics_disabled.add_guest(guest) + project_with_analytics_private.add_guest(guest) + project_with_analytics_enabled.add_guest(guest) + + project_with_analytics_disabled.add_reporter(reporter) + project_with_analytics_private.add_reporter(reporter) + project_with_analytics_enabled.add_reporter(reporter) + project_with_analytics_disabled.add_developer(developer) project_with_analytics_private.add_developer(developer) project_with_analytics_enabled.add_developer(developer) end - context 'when analytics is enabled for the project' do + context 'when analytics is disabled for the project' do let(:project) { project_with_analytics_disabled } context 'for guest user' do @@ -1144,6 +1152,16 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_disallowed(:read_cycle_analytics) } it { is_expected.to be_disallowed(:read_insights) } it { is_expected.to be_disallowed(:read_repository_graphs) } + it { is_expected.to be_disallowed(:read_ci_cd_analytics) } + end + + context 'for reporter user' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:read_cycle_analytics) } + it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_disallowed(:read_repository_graphs) } + it { is_expected.to be_disallowed(:read_ci_cd_analytics) } end context 'for developer' do @@ -1152,6 +1170,7 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_disallowed(:read_cycle_analytics) } it { is_expected.to be_disallowed(:read_insights) } it { is_expected.to be_disallowed(:read_repository_graphs) } + it { is_expected.to be_disallowed(:read_ci_cd_analytics) } end end @@ -1161,9 +1180,19 @@ RSpec.describe ProjectPolicy do context 'for guest user' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:read_cycle_analytics) } - it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } it { is_expected.to be_disallowed(:read_repository_graphs) } + it { is_expected.to be_disallowed(:read_ci_cd_analytics) } + end + + context 'for reporter user' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } + it { is_expected.to be_allowed(:read_repository_graphs) } + it { is_expected.to be_allowed(:read_ci_cd_analytics) } end context 'for developer' do @@ -1172,18 +1201,29 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_cycle_analytics) } it { is_expected.to be_allowed(:read_insights) } it { is_expected.to be_allowed(:read_repository_graphs) } + it { is_expected.to be_allowed(:read_ci_cd_analytics) } end end context 'when analytics is enabled for the project' do - let(:project) { project_with_analytics_private } + let(:project) { project_with_analytics_enabled } context 'for guest user' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:read_cycle_analytics) } - it { is_expected.to be_disallowed(:read_insights) } + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } it { is_expected.to be_disallowed(:read_repository_graphs) } + it { is_expected.to be_disallowed(:read_ci_cd_analytics) } + end + + context 'for reporter user' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:read_cycle_analytics) } + it { is_expected.to be_allowed(:read_insights) } + it { is_expected.to be_allowed(:read_repository_graphs) } + it { is_expected.to be_allowed(:read_ci_cd_analytics) } end context 'for developer' do @@ -1192,6 +1232,7 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_cycle_analytics) } it { is_expected.to be_allowed(:read_insights) } it { is_expected.to be_allowed(:read_repository_graphs) } + it { is_expected.to be_allowed(:read_ci_cd_analytics) } end end end |