diff options
author | Sarah Yasonik <syasonik@gitlab.com> | 2019-06-27 10:54:29 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2019-06-27 10:54:29 +0000 |
commit | 9c50cf03f5cfe5df5eff28edb80aa9fc1ab9fe6e (patch) | |
tree | 8c0c12fd13fba5585ad66033cc52bf6d343a512d /lib/gitlab | |
parent | e7193f235643a4b53d82206a7771586bcc46c88a (diff) | |
download | gitlab-ce-9c50cf03f5cfe5df5eff28edb80aa9fc1ab9fe6e.tar.gz |
Add permission check to dashboards
Adds permission checks to the metrics_dashboard endpoint. Users
with role of Reporter or above should have access to view the
metrics for a given project.
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/metrics/dashboard/base_service.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/metrics/dashboard/base_service.rb b/lib/gitlab/metrics/dashboard/base_service.rb index 90895eb237a..0628e82e592 100644 --- a/lib/gitlab/metrics/dashboard/base_service.rb +++ b/lib/gitlab/metrics/dashboard/base_service.rb @@ -10,6 +10,8 @@ module Gitlab NOT_FOUND_ERROR = Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError def get_dashboard + return error('Insufficient permissions.', :unauthorized) unless allowed? + success(dashboard: process_dashboard) rescue NOT_FOUND_ERROR error("#{dashboard_path} could not be found.", :not_found) @@ -30,6 +32,12 @@ module Gitlab private + # Determines whether users should be able to view + # dashboards at all. + def allowed? + Ability.allowed?(current_user, :read_environment, project) + end + # Returns a new dashboard Hash, supplemented with DB info def process_dashboard Gitlab::Metrics::Dashboard::Processor |