summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-08-02 22:29:43 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-08-02 22:29:43 +0000
commitc7c74818948dbc63a284bb617b2af1937f999cc8 (patch)
treee34c4d4103dca7b2877e766f540415d4cf10a085 /app
parent6cb0610108a079ae27d96d61c48216a9f3b0c476 (diff)
downloadgitlab-ce-c7c74818948dbc63a284bb617b2af1937f999cc8.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/controllers/invites_controller.rb4
-rw-r--r--app/controllers/projects/pipelines_controller.rb2
-rw-r--r--app/policies/issue_policy.rb13
-rw-r--r--app/policies/personal_access_token_policy.rb2
-rw-r--r--app/policies/project_policy.rb1
-rw-r--r--app/views/invites/show.html.haml41
6 files changed, 38 insertions, 25 deletions
diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index e6aae144da6..3c81b698546 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -20,7 +20,7 @@ class InvitesController < ApplicationController
end
def accept
- if member.accept_invite!(current_user)
+ if current_user_matches_invite? && member.accept_invite!(current_user)
redirect_to invite_details[:path], notice: helpers.invite_accepted_notice(member)
else
redirect_back_or_default(options: { alert: _("The invitation could not be accepted.") })
@@ -52,7 +52,7 @@ class InvitesController < ApplicationController
end
def current_user_matches_invite?
- @member.invite_email == current_user.email
+ current_user.verified_emails.include?(@member.invite_email)
end
def member?
diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb
index b4196878c4f..0f7dc2afd0d 100644
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -8,7 +8,7 @@ class Projects::PipelinesController < Projects::ApplicationController
before_action :pipeline, except: [:index, :new, :create, :charts, :config_variables]
before_action :set_pipeline_path, only: [:show]
before_action :authorize_read_pipeline!
- before_action :authorize_read_build!, only: [:index]
+ before_action :authorize_read_build!, only: [:index, :show]
before_action :authorize_read_analytics!, only: [:charts]
before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
before_action :authorize_update_pipeline!, only: [:retry, :cancel]
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index e58179e320d..053243e2296 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -44,7 +44,18 @@ class IssuePolicy < IssuablePolicy
enable :update_subscription
end
- rule { ~persisted & can?(:guest_access) }.policy do
+ # admin can set metadata on new issues
+ rule { ~persisted & admin }.policy do
+ enable :set_issue_metadata
+ end
+
+ # support bot needs to be able to set metadata on new issues when service desk is enabled
+ rule { ~persisted & support_bot & can?(:guest_access) }.policy do
+ enable :set_issue_metadata
+ end
+
+ # guest members need to be able to set issue metadata per https://gitlab.com/gitlab-org/gitlab/-/issues/300100
+ rule { ~persisted & is_project_member & can?(:guest_access) }.policy do
enable :set_issue_metadata
end
diff --git a/app/policies/personal_access_token_policy.rb b/app/policies/personal_access_token_policy.rb
index 1e5404b7822..31c973f575b 100644
--- a/app/policies/personal_access_token_policy.rb
+++ b/app/policies/personal_access_token_policy.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class PersonalAccessTokenPolicy < BasePolicy
- condition(:is_owner) { user && subject.user_id == user.id }
+ condition(:is_owner) { user && subject.user_id == user.id && !subject.impersonation }
rule { (is_owner | admin) & ~blocked }.policy do
enable :read_token
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 85547834a2e..fc959c5c6cb 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -673,6 +673,7 @@ class ProjectPolicy < BasePolicy
rule { support_bot & ~service_desk_enabled }.policy do
prevent :create_note
prevent :read_project
+ prevent :guest_access
end
rule { project_bot }.enable :project_bot_access
diff --git a/app/views/invites/show.html.haml b/app/views/invites/show.html.haml
index ae13ef831dd..3622fc46983 100644
--- a/app/views/invites/show.html.haml
+++ b/app/views/invites/show.html.haml
@@ -1,29 +1,30 @@
- page_title _("Invitation")
%h3.page-title= _("Invitation")
-%p
- = _("You have been invited")
- - inviter = @member.created_by
- - if inviter
- = _("by")
- = link_to inviter.name, user_url(inviter)
- = _("to join %{source_name}") % { source_name: @invite_details[:title] }
- %strong
- = link_to @invite_details[:name], @invite_details[:url]
- = _("as %{role}.") % { role: @member.human_access }
+- if current_user_matches_invite?
+ - if member?
+ %p
+ = _("You are already a member of this %{member_source}.") % { member_source: @invite_details[:title] }
+ .actions
+ = link_to _("Go to %{source_name}") % { source_name: @invite_details[:title] }, @invite_details[:url], class: "btn gl-button btn-confirm"
-- if member?
- %p
- = _("However, you are already a member of this %{member_source}. Sign in using a different account to accept the invitation.") % { member_source: @invite_details[:title] }
+ - else
+ %p
+ - inviter = @member.created_by
+ - link_to_inviter = link_to(inviter.name, user_url(inviter))
+ - link_to_source = link_to(@invite_details[:name], @invite_details[:url])
+
+ = html_escape(_("You have been invited by %{link_to_inviter} to join %{source_name} %{strong_open}%{link_to_source}%{strong_close} as %{role}")) % { link_to_inviter: link_to_inviter, source_name: @invite_details[:title], strong_open: '<strong>'.html_safe, link_to_source: link_to_source, strong_close: '</strong>'.html_safe, role: @member.human_access }
+
+ .actions
+ = link_to _("Accept invitation"), accept_invite_url(@token), method: :post, class: "btn gl-button btn-confirm"
+ = link_to _("Decline"), decline_invite_url(@token), method: :post, class: "btn gl-button btn-danger gl-ml-3"
-- if !current_user_matches_invite?
+- else
%p
- mail_to_invite_email = mail_to(@member.invite_email)
- mail_to_current_user = mail_to(current_user.email)
- link_to_current_user = link_to(current_user.to_reference, user_url(current_user))
- = _("Note that this invitation was sent to %{mail_to_invite_email}, but you are signed in as %{link_to_current_user} with email %{mail_to_current_user}.").html_safe % { mail_to_invite_email: mail_to_invite_email, mail_to_current_user: mail_to_current_user, link_to_current_user: link_to_current_user }
-
-- if !member?
- .actions
- = link_to _("Accept invitation"), accept_invite_url(@token), method: :post, class: "btn gl-button btn-confirm"
- = link_to _("Decline"), decline_invite_url(@token), method: :post, class: "btn gl-button btn-danger gl-ml-3"
+ = _("This invitation was sent to %{mail_to_invite_email}, but you are signed in as %{link_to_current_user} with email %{mail_to_current_user}.").html_safe % { mail_to_invite_email: mail_to_invite_email, mail_to_current_user: mail_to_current_user, link_to_current_user: link_to_current_user }
+ %p
+ = _("Sign in as a user with the matching email address, add the email to this account, or sign-up for a new account using the matching email.")