diff options
34 files changed, 804 insertions, 107 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md index 544033aea1e..23859102610 100644 --- a/CHANGELOG-EE.md +++ b/CHANGELOG-EE.md @@ -1,5 +1,188 @@ Please view this file on the master branch, on stable branches it's out of date. +## 12.3.0 + +### Security (3 changes) + +- Limit number of jobs in running pipelines for the past hour on per plan basis. !1182 +- Filter out old system notes for epics in notes api endpoint response. +- Do not allow creation of projects from group templates if project is not descendant of that group. + +### Removed (1 change) + +- Remove Ruby Elasticsearch indexer. !15641 + +### Fixed (53 changes, 5 of them are from the community) + +- LDAP group sync: check parent group membership and improve performance. !13435 (Alex Lossent) +- Added a migration which fixes discussions for existing promoted epics. !14708 +- Fix Docker Registry access when Group SAML session enforcement is active. !14843 +- Fix missing borders between settings items. !14877 +- SCIM uses fallbacks when name.formatted not present. !14878 +- Fix visibility of link to dependency-list in project sidebar based on permissions. !15066 +- Hide info for unlicensed projects on Ops Dashboard. !15099 +- Fix focus-visibility of vulnerability-actions within security dashboard. !15115 +- Resolve Design viewer does not respect version. !15119 +- Fix bug to display alert menu correctly in dashboards. !15261 +- Allow developer role to access group-level templates when creating a new project. !15364 +- Maintain related issues after moving issue. !15391 +- Fix the documentation link on the empty Dependency List page. !15402 +- Fix broken docs link on security dashboard. !15404 +- Change epics count in sidebar to only count open epics. !15459 +- Include ancestor group labels in autocomplete for epics. !15460 +- Enable target users across all feature flag environment scopes. !15500 +- Change payload for comparing security reports in MR widget. !15531 +- Add space between CI usage warning messages. !15563 (briankabiro) +- Make sure groups with templates finder returns subgroups. !15631 +- Properly delete files when a package is removed. !15634 +- Fix x-axis burndown chart offset by timezone. !15690 +- Resolve SRV records for DB load balancing. !15691 +- Ensure all CI minutes used are reset for all namespaces and relative projects. !15744 +- Show proper error in SCIM create user endpoint. !15756 +- Update permissions on Dependency List page. !15771 +- Allow ancestor group milestones in issue board scope. !15858 +- Show weight on new board issue. !16028 (Lee Tickett) +- Do not show 'automatically removed' suffix for manually removed labels. !16079 +- Link to the embedded doc in the Geo callout about hashed storage. !16114 +- Fix LFS authentication URL in EE. !16146 +- Prevent project's approval rules having same name. !16216 +- Fix create issue for container scanning from security dashboard. !16226 +- Add current_user to security report comparison services. !16252 +- Fix setting of weight of a new issue in board list. !16299 +- Update ExternalPullRequest on :synchronize action to ensure source_sha is updated locally. !16318 +- Fix wrong tier error message for Operations dashboard. !16319 +- Perform case insensitive diff on license names. !16335 +- Moves Buy additional minutes button to the pipelines tab. !16443 +- Update GitHub Importer Personal Access Token field description for CI/CD projects only to reflect latest OAuth changes. !16453 +- Use Pull Request number instead of internal Pull Request ID. !16504 +- Fix service desk emails not creating issues intermittently. !16577 +- Reinitialize metrics files on webserver master process start. !16623 +- Fix the group's epic page. The Paste issue link placeholder shown as 'undefinedundefinedundefined' in Chinese environment. And the error message showed nothing. !16628 (wdmcheng) +- Fix issue redirects going to /issues/:id/designs. !16638 +- Eliminate analytics feature flag requirement for /analytics routes. !16663 +- Match environment names case insensitively for feature flag spec search. !16691 +- Fix merge request redirects going to /commits page. !16705 +- Align text color for edited with issue/mr. !16721 +- Added Packages top item to the group level packages fly out navigation menu. !16791 +- Restores data for assignee changes in merge request webhooks. !16812 (Jesse Hall @jessehall3) +- Fix alignment of comments count in issue and MR lists. !16829 +- Wait until pipeline is completed before checking for software license violations. !16853 + +### Changed (27 changes, 1 of them is from the community) + +- Geo: Refactor data-sources to allow for replication of content in Object Storage. !13997 +- Improve UX multi assignees in MR. !14851 +- Add ability to block API pushes to protected branches when contents match CODEOWNERS rule. !14900 +- Add browser notications to add/edit/delete vulnability dismissal reasons. !15015 +- Geo: Add orphaned project registry cleaner. !15021 +- Update Security Dashboard for improved usability. !15050 +- Present SAST report comparison logic to backend. !15114 +- Ensure design notifications are sent. !15250 +- Apply the group setting "Restrict access by IP address" to API requests. !15282 +- Hide boards-switcher on group boards. !15293 (briankabiro) +- Group Security Dashboard shows projects with security reports only. !15334 +- Use GlEmptyState component for design management empty state. !15374 +- DB Load Balancing: Log Prometheus current number of hosts and current index. !15440 +- Clarify SSO enforcement setting behaviour. !15533 +- DB Load Balancing: Support SRV lookups. !15558 +- Add status checking behaviors to pipeline triggers. !15580 +- Only show Service Desk email address to project members. !15676 +- Use static status check names on GitHub integrations. !15737 +- Display the Security Dashboard in the Security tab of the pipeline view. !15824 +- Remove primary button from feature flags empty state and update text. !15841 +- Extend License Compliance entity for Pipelines and MR view. !15957 +- Improve DB load balancing log to log host offline due to replication lag. !15995 +- Eliminating `analytics` feature flag and introduce separate feature flags for Analytics features. !16102 +- Add asterisk to name field in new feature flag form. !16248 +- Update Container Scanning job template, use klar image. !16342 +- Improve projects list page UI. !16656 +- Add user feedback to exit routine of onboarding tour. + +### Performance (2 changes) + +- Send only necessary fields on mr-widget auto-refresh. !15495 +- Two step Routable lookup. !16621 + +### Added (46 changes, 1 of them is from the community) + +- Public project-level approval rule API. !13895 +- Support reordering issues and epics using Drag&Drop. !14565 +- Add deletion support for designs. !14656 +- Add Epics select dropdown to Issue sidebar. !14763 +- Edit delete vuln dismissal message. !14770 +- add Productivity Analytics page with basic charts. !14772 +- Add License information to the Dependency List based on current license rules. !14905 +- Adds an api to generate suggestions for username. !15048 +- Add Upgrade button to the User Billing page. !15075 +- Enable "only/except: external_pull_request" with GitHub integration when a pull request is open for the given ref. !15082 +- Allow to filter epics by timeframe or state using GraphQL. !15110 +- Support restricting group access by multiple IP subnets. !15142 +- Merge License info to Dependency List report. !15157 +- Add Licenses info into Dependencies response. !15160 +- Add 'License-Check' approval rule to enforce license compliance policy. !15196 +- Added a toggle to show/hide dismissed vulnerabilities in the security dashboard. !15333 +- Add audit event for archiving & unarchiving projects. !15362 +- Pressing the Escape key now closes designs in Design Management. !15379 +- Expose a count of Notes for a Design in a new notes_count property of DesignType in GraphQL. !15433 +- Implement public MR-level approval rules API. !15441 +- Cancel redundant merge train pipelines. !15450 +- Add vulnerabilities to Dependencies API. !15485 +- Expose a new events property of DesignType in GraphQL that represents the change that happened to a Design within a given version. !15561 +- Add new layout for trial. !15630 +- Track repository pushes as audit events. !15667 +- Create Metadata/Tags table. !15770 +- Allow SmartCard authentication to use SAN extensions. !15773 +- Maximum Users metric in Admin Dashboard includes current active user count. !15810 +- Public MR-level approval state API endpoint. !15859 +- Add secondary lag message on Git push over HTTP. !15901 +- Expose epic_iid in issues API. !15998 +- Refresh license approval check when a license is blacklisted. !16070 +- Disable editing of the 'License-Check' approval rule name. !16149 +- Implement Cluster Environments polling. !16316 +- Support creating project from template via API. !16352 +- Add link to additional shared minutes from pipeline quote overview. !16389 +- Add audit events for protected branches. !16399 +- Geo: Exit LogCursor if it has been failing for too long. !16408 +- Implement design comment counts and current-version status icon indicator. !16416 +- Track page view counts for Cycle Analytics and Productivity Analytics features. !16431 +- Update release blocks to support association of milestones. !16562 +- Set default whitespace diff behaviour. !16570 (Lee Tickett) +- Implement `/zoom` and `/remove_zoom` quick actions. !16609 +- Add Snowplow click tracking for issue sidebar. !16833 +- Upgrade pages to 1.9.0. +- Adds total usage information to the usage quotas page. + +### Other (27 changes, 8 of them are from the community) + +- Update Pipelines Minutes expiry banner to Alert Component. !14786 +- Add internal API for group cluster environments. !15096 +- Rename approval rule. !15140 +- Productivity Analytics: Add error handling for reporting on groups which have no plan. !15291 +- Convert Issue Analytics chart into ECharts. !15389 +- Display group's full name when creating a project from custom group-level project templates. !15392 +- Only in ee available selection entries in user settings adapted to match ce. !15452 (Marc Schwede) +- Rename Approvers field and modal title. !15461 +- Add a tooltip to Add Designs button. !15471 +- Show the paths for groups in groups dropdown. !15513 +- Turn epic dates into one clickable block. !15722 (Lee Tickett) +- Add default route for admin/geo. !15726 (Lee Tickett) +- Improve unapproved MR merge button text. !15745 (Lee Tickett) +- Update the ES indexer to v1.3.0. !15821 +- Groups dropdown: Fix group styles in dropdown. !15839 +- Document SRV handling for DB load balancing. !16000 +- Internationalization of shared/promotions/_promote_audit_events.html.haml. !16033 (Takuya Noguchi) +- Remove vue-resource from service_desk_service.js. !16041 (Lee Tickett) +- Remove unused classes for report comparison. !16045 +- Remove vue-resource from related-issues. !16057 (Lee Tickett) +- Add CI variable for repository languages. !16477 +- SAST template that doesn't rely on Docker-in-Docker. !16487 +- Adding docs for Web IDE Default Commit Options. !16629 +- Adding top border back to snippet files. !16709 +- Remove vue-resource from drafts. (Lee Tickett) +- Changing instance of key-modern icon to key icon. +- Fixes style-lint errors and warnings for EE builds.scss file. + + ## 12.2.5 ### Security (1 change) diff --git a/CHANGELOG.md b/CHANGELOG.md index b26a45e97e7..ed5264fae1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.3.1 + +### Fixed (4 changes) + +- Fix ordering of issue board lists not being persisted. !17356 +- Fix error when duplicate users are merged in approvers list. !17406 +- Fix bug that caused a merge to show an error message. !17466 +- Fix CSS leak in job log. + + ## 12.3.0 ### Security (23 changes) @@ -1 +1 @@ -12.3.0 +12.3.1 diff --git a/app/assets/javascripts/jobs/components/log/duration_badge.vue b/app/assets/javascripts/jobs/components/log/duration_badge.vue index 83f62703d27..31a101d2c95 100644 --- a/app/assets/javascripts/jobs/components/log/duration_badge.vue +++ b/app/assets/javascripts/jobs/components/log/duration_badge.vue @@ -9,5 +9,7 @@ export default { }; </script> <template> - <div class="duration rounded align-self-start px-2 ml-2 flex-shrink-0">{{ duration }}</div> + <div class="log-duration-badge rounded align-self-start px-2 ml-2 flex-shrink-0"> + {{ duration }} + </div> </template> diff --git a/app/assets/javascripts/jobs/components/log/line.vue b/app/assets/javascripts/jobs/components/log/line.vue index 336ae623f0f..4e09c85b25a 100644 --- a/app/assets/javascripts/jobs/components/log/line.vue +++ b/app/assets/javascripts/jobs/components/log/line.vue @@ -19,7 +19,7 @@ export default { </script> <template> - <div class="line"> + <div class="log-line"> <line-number :line-number="line.lineNumber" :path="path" /> <span v-for="(content, i) in line.content" :key="i" :class="content.style">{{ content.text diff --git a/app/assets/javascripts/jobs/components/log/line_header.vue b/app/assets/javascripts/jobs/components/log/line_header.vue index af8de9ec0fa..92cf3b3cf5f 100644 --- a/app/assets/javascripts/jobs/components/log/line_header.vue +++ b/app/assets/javascripts/jobs/components/log/line_header.vue @@ -43,7 +43,7 @@ export default { <template> <div - class="line collapsible-line d-flex justify-content-between" + class="log-line collapsible-line d-flex justify-content-between" role="button" @click="handleOnClick" > diff --git a/app/assets/stylesheets/framework/job_log.scss b/app/assets/stylesheets/framework/job_log.scss index 5c2491c8233..074b2405217 100644 --- a/app/assets/stylesheets/framework/job_log.scss +++ b/app/assets/stylesheets/framework/job_log.scss @@ -11,7 +11,7 @@ background-color: $builds-trace-bg; } -.line { +.log-line { padding: 1px $gl-padding 1px $job-log-line-padding; } @@ -40,7 +40,7 @@ } } -.duration { +.log-duration-badge { background: $gl-gray-400; } diff --git a/app/finders/resource_label_event_finder.rb b/app/finders/resource_label_event_finder.rb new file mode 100644 index 00000000000..9aafd6e91b9 --- /dev/null +++ b/app/finders/resource_label_event_finder.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +class ResourceLabelEventFinder + include FinderMethods + + MAX_PER_PAGE = 100 + + attr_reader :params, :current_user, :eventable + + def initialize(current_user, eventable, params = {}) + @current_user = current_user + @eventable = eventable + @params = params + end + + def execute + events = eventable.resource_label_events.inc_relations + events = events.page(page).per(per_page) + events = visible_to_user(events) + + Kaminari.paginate_array(events) + end + + private + + def visible_to_user(events) + ResourceLabelEvent.preload_label_subjects(events) + + events.select do |event| + Ability.allowed?(current_user, :read_label, event) + end + end + + def per_page + [params[:per_page], MAX_PER_PAGE].compact.min + end + + def page + params[:page] || 1 + end +end diff --git a/app/helpers/boards_helper.rb b/app/helpers/boards_helper.rb index 3f0679f9bf9..d3950219f3f 100644 --- a/app/helpers/boards_helper.rb +++ b/app/helpers/boards_helper.rb @@ -88,7 +88,7 @@ module BoardsHelper end def boards_link_text - if multiple_boards_available? + if current_board_parent.multiple_issue_boards_available? s_("IssueBoards|Boards") else s_("IssueBoards|Board") diff --git a/app/models/discussion.rb b/app/models/discussion.rb index dd896f77084..0d066d0d99f 100644 --- a/app/models/discussion.rb +++ b/app/models/discussion.rb @@ -18,6 +18,7 @@ class Discussion :for_merge_request?, :to_ability_name, :editable?, + :visible_for?, to: :first_note diff --git a/app/models/resource_label_event.rb b/app/models/resource_label_event.rb index 93d0a37d186..98fc9e7bae8 100644 --- a/app/models/resource_label_event.rb +++ b/app/models/resource_label_event.rb @@ -13,6 +13,7 @@ class ResourceLabelEvent < ApplicationRecord belongs_to :label scope :created_after, ->(time) { where('created_at > ?', time) } + scope :inc_relations, -> { includes(:label, :user) } validates :user, presence: { unless: :importing? }, on: :create validates :label, presence: { unless: :importing? }, on: :create @@ -30,6 +31,15 @@ class ResourceLabelEvent < ApplicationRecord %i(issue merge_request).freeze end + def self.preload_label_subjects(events) + labels = events.map(&:label).compact + project_labels, group_labels = labels.partition { |label| label.is_a? ProjectLabel } + + preloader = ActiveRecord::Associations::Preloader.new + preloader.preload(project_labels, { project: :project_feature }) + preloader.preload(group_labels, :group) + end + def issuable issue || merge_request end diff --git a/app/models/user.rb b/app/models/user.rb index 66defb4c707..a69db121a0b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -267,6 +267,16 @@ class User < ApplicationRecord BLOCKED_MESSAGE end end + + # rubocop: disable CodeReuse/ServiceClass + # Ideally we should not call a service object here but user.block + # is also bcalled by Users::MigrateToGhostUserService which references + # this state transition object in order to do a rollback. + # For this reason the tradeoff is to disable this cop. + after_transition any => :blocked do |user| + Ci::CancelUserPipelinesService.new.execute(user) + end + # rubocop: enable CodeReuse/ServiceClass end # Scopes diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 8d23e3abed3..b2af6c874c7 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -11,6 +11,8 @@ class NotePolicy < BasePolicy condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + condition(:is_visible) { @subject.visible_for?(@user) } + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes @@ -27,6 +29,13 @@ class NotePolicy < BasePolicy enable :resolve_note end + rule { ~is_visible }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + prevent :award_emoji + end + rule { is_noteable_author }.policy do enable :resolve_note end diff --git a/app/policies/resource_label_event_policy.rb b/app/policies/resource_label_event_policy.rb new file mode 100644 index 00000000000..de4748d9890 --- /dev/null +++ b/app/policies/resource_label_event_policy.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +class ResourceLabelEventPolicy < BasePolicy + condition(:can_read_label) { @subject.label_id.nil? || can?(:read_label, @subject.label) } + condition(:can_read_issuable) { can?(:"read_#{@subject.issuable.to_ability_name}", @subject.issuable) } + + rule { can_read_label }.policy do + enable :read_label + end + + rule { can_read_label & can_read_issuable }.policy do + enable :read_resource_label_event + end +end diff --git a/app/services/boards/lists/update_service.rb b/app/services/boards/lists/update_service.rb index 2ddeb6f0bd8..ad96e42f756 100644 --- a/app/services/boards/lists/update_service.rb +++ b/app/services/boards/lists/update_service.rb @@ -4,10 +4,10 @@ module Boards module Lists class UpdateService < Boards::BaseService def execute(list) - return not_authorized if preferences? && !can_read?(list) - return not_authorized if position? && !can_admin?(list) + update_preferences_result = update_preferences(list) if can_read?(list) + update_position_result = update_position(list) if can_admin?(list) - if update_preferences(list) || update_position(list) + if update_preferences_result || update_position_result success(list: list) else error(list.errors.messages, 422) @@ -32,10 +32,6 @@ module Boards { collapsed: Gitlab::Utils.to_boolean(params[:collapsed]) } end - def not_authorized - error("Not authorized", 403) - end - def preferences? params.has_key?(:collapsed) end diff --git a/app/services/ci/cancel_user_pipelines_service.rb b/app/services/ci/cancel_user_pipelines_service.rb new file mode 100644 index 00000000000..bcafb6b4a35 --- /dev/null +++ b/app/services/ci/cancel_user_pipelines_service.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +module Ci + class CancelUserPipelinesService + # rubocop: disable CodeReuse/ActiveRecord + # This is a bug with CodeReuse/ActiveRecord cop + # https://gitlab.com/gitlab-org/gitlab/issues/32332 + def execute(user) + user.pipelines.cancelable.find_each(&:cancel_running) + end + # rubocop: enable CodeReuse/ActiveRecord + end +end diff --git a/app/views/clusters/clusters/show.html.haml b/app/views/clusters/clusters/show.html.haml index 00fdd5e9562..cccba48624b 100644 --- a/app/views/clusters/clusters/show.html.haml +++ b/app/views/clusters/clusters/show.html.haml @@ -3,6 +3,7 @@ - breadcrumb_title @cluster.name - page_title _('Kubernetes Cluster') - manage_prometheus_path = edit_project_service_path(@cluster.project, 'prometheus') if @project +- cluster_environments_path = clusterable.environments_cluster_path(@cluster) - expanded = expanded_by_default? @@ -16,7 +17,7 @@ install_jupyter_path: clusterable.install_applications_cluster_path(@cluster, :jupyter), install_knative_path: clusterable.install_applications_cluster_path(@cluster, :knative), update_knative_path: clusterable.update_applications_cluster_path(@cluster, :knative), - cluster_environments_path: clusterable.environments_cluster_path(@cluster), + cluster_environments_path: cluster_environments_path, toggle_status: @cluster.enabled? ? 'true': 'false', has_rbac: has_rbac_enabled?(@cluster) ? 'true': 'false', cluster_type: @cluster.cluster_type, @@ -37,7 +38,7 @@ %h4= @cluster.name = render 'banner' - = render_if_exists 'clusters/clusters/group_cluster_environments', expanded: expanded - - - unless Gitlab.ee? + - if cluster_environments_path.present? + = render_if_exists 'clusters/clusters/group_cluster_environments', expanded: expanded + - else = render 'configure', expanded: expanded diff --git a/app/views/shared/issuable/_search_bar.html.haml b/app/views/shared/issuable/_search_bar.html.haml index de994250649..c9458475aa5 100644 --- a/app/views/shared/issuable/_search_bar.html.haml +++ b/app/views/shared/issuable/_search_bar.html.haml @@ -6,7 +6,7 @@ .issues-filters{ class: ("w-100" if type == :boards_modal) } .issues-details-filters.filtered-search-block.d-flex.flex-column.flex-md-row{ class: block_css_class, "v-pre" => type == :boards_modal } - - if type == :boards && (multiple_boards_available? || current_board_parent.boards.size > 1) + - if type == :boards = render "shared/boards/switcher", board: board = form_tag page_filter_path, method: :get, class: 'filter-form js-filter-form w-100' do - if params[:search].present? diff --git a/changelogs/unreleased/security-12630-private-system-note-disclosed-in-graphql.yml b/changelogs/unreleased/security-12630-private-system-note-disclosed-in-graphql.yml new file mode 100644 index 00000000000..03658c931a3 --- /dev/null +++ b/changelogs/unreleased/security-12630-private-system-note-disclosed-in-graphql.yml @@ -0,0 +1,6 @@ +--- +title: Add a policy check for system notes that may not be visible due to cross references + to private items +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-cross-reference-fix.yml b/changelogs/unreleased/security-cross-reference-fix.yml new file mode 100644 index 00000000000..15d6509fd63 --- /dev/null +++ b/changelogs/unreleased/security-cross-reference-fix.yml @@ -0,0 +1,5 @@ +--- +title: Do not show resource label events referencing not accessible labels. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml b/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml new file mode 100644 index 00000000000..1bc4345d5b6 --- /dev/null +++ b/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml @@ -0,0 +1,5 @@ +--- +title: Cancel all running CI jobs triggered by the user who is just blocked +merge_request: +author: +type: security diff --git a/lib/api/resource_label_events.rb b/lib/api/resource_label_events.rb index 505a6c68c9c..062115c5103 100644 --- a/lib/api/resource_label_events.rb +++ b/lib/api/resource_label_events.rb @@ -24,14 +24,14 @@ module API use :pagination end - # rubocop: disable CodeReuse/ActiveRecord get ":id/#{eventables_str}/:eventable_id/resource_label_events" do eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id]) - events = eventable.resource_label_events.includes(:label, :user) + + opts = { page: params[:page], per_page: params[:per_page] } + events = ResourceLabelEventFinder.new(current_user, eventable, opts).execute present paginate(events), with: Entities::ResourceLabelEvent end - # rubocop: enable CodeReuse/ActiveRecord desc "Get a single #{eventable_type.to_s.downcase} resource label event" do success Entities::ResourceLabelEvent @@ -45,6 +45,8 @@ module API eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id]) event = eventable.resource_label_events.find(params[:event_id]) + not_found!('ResourceLabelEvent') unless can?(current_user, :read_resource_label_event, event) + present event, with: Entities::ResourceLabelEvent end end diff --git a/spec/controllers/boards/lists_controller_spec.rb b/spec/controllers/boards/lists_controller_spec.rb index 802fc1770a4..77b5872fcb3 100644 --- a/spec/controllers/boards/lists_controller_spec.rb +++ b/spec/controllers/boards/lists_controller_spec.rb @@ -162,10 +162,10 @@ describe Boards::ListsController do end context 'with unauthorized user' do - it 'returns a forbidden 403 response' do + it 'returns a 422 unprocessable entity response' do move user: guest, board: board, list: planning, position: 6 - expect(response).to have_gitlab_http_status(403) + expect(response).to have_gitlab_http_status(422) end end diff --git a/spec/features/clusters/cluster_detail_page_spec.rb b/spec/features/clusters/cluster_detail_page_spec.rb index 683c57a97f8..927862689c1 100644 --- a/spec/features/clusters/cluster_detail_page_spec.rb +++ b/spec/features/clusters/cluster_detail_page_spec.rb @@ -13,7 +13,7 @@ describe 'Clusterable > Show page' do sign_in(current_user) end - shared_examples 'editing domain' do + shared_examples 'show page' do before do clusterable.add_maintainer(current_user) end @@ -53,6 +53,12 @@ describe 'Clusterable > Show page' do end end end + + it 'does not show the environments tab' do + visit cluster_path + + expect(page).not_to have_selector('.js-cluster-nav-environments', text: 'Environments') + end end shared_examples 'editing a GCP cluster' do @@ -113,42 +119,30 @@ describe 'Clusterable > Show page' do end context 'when clusterable is a project' do - it_behaves_like 'editing domain' do - let(:clusterable) { create(:project) } - let(:cluster) { create(:cluster, :provided_by_gcp, :project, projects: [clusterable]) } - let(:cluster_path) { project_cluster_path(clusterable, cluster) } - end + let(:clusterable) { create(:project) } + let(:cluster_path) { project_cluster_path(clusterable, cluster) } + let(:cluster) { create(:cluster, :provided_by_gcp, :project, projects: [clusterable]) } - it_behaves_like 'editing a GCP cluster' do - let(:clusterable) { create(:project) } - let(:cluster) { create(:cluster, :provided_by_gcp, :project, projects: [clusterable]) } - let(:cluster_path) { project_cluster_path(clusterable, cluster) } - end + it_behaves_like 'show page' + + it_behaves_like 'editing a GCP cluster' it_behaves_like 'editing a user-provided cluster' do - let(:clusterable) { create(:project) } let(:cluster) { create(:cluster, :provided_by_user, :project, projects: [clusterable]) } - let(:cluster_path) { project_cluster_path(clusterable, cluster) } end end context 'when clusterable is a group' do - it_behaves_like 'editing domain' do - let(:clusterable) { create(:group) } - let(:cluster) { create(:cluster, :provided_by_gcp, :group, groups: [clusterable]) } - let(:cluster_path) { group_cluster_path(clusterable, cluster) } - end + let(:clusterable) { create(:group) } + let(:cluster_path) { group_cluster_path(clusterable, cluster) } + let(:cluster) { create(:cluster, :provided_by_gcp, :group, groups: [clusterable]) } - it_behaves_like 'editing a GCP cluster' do - let(:clusterable) { create(:group) } - let(:cluster) { create(:cluster, :provided_by_gcp, :group, groups: [clusterable]) } - let(:cluster_path) { group_cluster_path(clusterable, cluster) } - end + it_behaves_like 'show page' + + it_behaves_like 'editing a GCP cluster' it_behaves_like 'editing a user-provided cluster' do - let(:clusterable) { create(:group) } let(:cluster) { create(:cluster, :provided_by_user, :group, groups: [clusterable]) } - let(:cluster_path) { group_cluster_path(clusterable, cluster) } end end end diff --git a/spec/finders/resource_label_event_finder_spec.rb b/spec/finders/resource_label_event_finder_spec.rb new file mode 100644 index 00000000000..c894387100d --- /dev/null +++ b/spec/finders/resource_label_event_finder_spec.rb @@ -0,0 +1,61 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe ResourceLabelEventFinder do + set(:user) { create(:user) } + set(:issue_project) { create(:project) } + set(:issue) { create(:issue, project: issue_project) } + + describe '#execute' do + subject { described_class.new(user, issue).execute } + + it 'returns events with labels accessible by user' do + label = create(:label, project: issue_project) + event = create_event(label) + issue_project.add_guest(user) + + expect(subject).to eq [event] + end + + it 'filters events with public project labels if issues and MRs are private' do + project = create(:project, :public, :issues_private, :merge_requests_private) + label = create(:label, project: project) + create_event(label) + + expect(subject).to be_empty + end + + it 'filters events with project labels not accessible by user' do + project = create(:project, :private) + label = create(:label, project: project) + create_event(label) + + expect(subject).to be_empty + end + + it 'filters events with group labels not accessible by user' do + group = create(:group, :private) + label = create(:group_label, group: group) + create_event(label) + + expect(subject).to be_empty + end + + it 'paginates results' do + label = create(:label, project: issue_project) + create_event(label) + create_event(label) + issue_project.add_guest(user) + + paginated = described_class.new(user, issue, per_page: 1).execute + + expect(subject.count).to eq 2 + expect(paginated.count).to eq 1 + end + + def create_event(label) + create(:resource_label_event, issue: issue, label: label) + end + end +end diff --git a/spec/graphql/types/issue_type_spec.rb b/spec/graphql/types/issue_type_spec.rb index 799a8662b94..734e5af3cd8 100644 --- a/spec/graphql/types/issue_type_spec.rb +++ b/spec/graphql/types/issue_type_spec.rb @@ -17,4 +17,83 @@ describe GitlabSchema.types['Issue'] do expect(described_class).to have_graphql_field(field_name) end end + + describe "issue notes" do + let(:user) { create(:user) } + let(:project) { create(:project, :public) } + let(:issue) { create(:issue, project: project) } + let(:confidential_issue) { create(:issue, :confidential, project: project) } + let(:private_note_body) { "mentioned in issue #{confidential_issue.to_reference(project)}" } + let!(:note1) { create(:note, system: true, noteable: issue, author: user, project: project, note: private_note_body) } + let!(:note2) { create(:note, system: true, noteable: issue, author: user, project: project, note: 'public note') } + + let(:query) do + %( + query { + project(fullPath:"#{project.full_path}"){ + issue(iid:"#{issue.iid}"){ + descriptionHtml + notes{ + edges{ + node{ + bodyHtml + author{ + username + } + body + } + } + } + } + } + } + ) + end + + context 'query issue notes' do + subject { GitlabSchema.execute(query, context: { current_user: current_user }).as_json } + + shared_examples_for 'does not include private notes' do + it "does not return private notes" do + notes = subject.dig("data", "project", "issue", "notes", 'edges') + notes_body = notes.map {|n| n.dig('node', 'body')} + + expect(notes.size).to eq 1 + expect(notes_body).not_to include(private_note_body) + expect(notes_body).to include('public note') + end + end + + shared_examples_for 'includes private notes' do + it "returns all notes" do + notes = subject.dig("data", "project", "issue", "notes", 'edges') + notes_body = notes.map {|n| n.dig('node', 'body')} + + expect(notes.size).to eq 2 + expect(notes_body).to include(private_note_body) + expect(notes_body).to include('public note') + end + end + + context 'when user signed in' do + let(:current_user) { user } + + it_behaves_like 'does not include private notes' + + context 'when user member of the project' do + before do + project.add_developer(user) + end + + it_behaves_like 'includes private notes' + end + end + + context 'when user is anonymous' do + let(:current_user) { nil } + + it_behaves_like 'does not include private notes' + end + end + end end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 228d1ce9964..a701b858783 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -1097,11 +1097,27 @@ describe User do describe 'blocking user' do let(:user) { create(:user, name: 'John Smith') } - it "blocks user" do + it 'blocks user' do user.block expect(user.blocked?).to be_truthy end + + context 'when user has running CI pipelines' do + let(:service) { double } + + before do + pipeline = create(:ci_pipeline, :running, user: user) + create(:ci_build, :running, pipeline: pipeline) + end + + it 'cancels all running pipelines and related jobs' do + expect(Ci::CancelUserPipelinesService).to receive(:new).and_return(service) + expect(service).to receive(:execute).with(user) + + user.block + end + end end describe '.filter_items' do diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index bcf021f1dfd..d18ded8bce9 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -152,6 +152,89 @@ describe NotePolicy do it_behaves_like 'a discussion with a private noteable' end end + + context 'when it is a system note' do + let(:developer) { create(:user) } + let(:any_user) { create(:user) } + + shared_examples_for 'user can read the note' do + it 'allows the user to read the note' do + expect(policy).to be_allowed(:read_note) + end + end + + shared_examples_for 'user can act on the note' do + it 'allows the user to read the note' do + expect(policy).not_to be_allowed(:admin_note) + expect(policy).to be_allowed(:resolve_note) + expect(policy).to be_allowed(:award_emoji) + end + end + + shared_examples_for 'user cannot read or act on the note' do + it 'allows user to read the note' do + expect(policy).not_to be_allowed(:admin_note) + expect(policy).not_to be_allowed(:resolve_note) + expect(policy).not_to be_allowed(:read_note) + expect(policy).not_to be_allowed(:award_emoji) + end + end + + context 'when noteable is a public issue' do + let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) } + + before do + project.add_developer(developer) + end + + context 'when user is project member' do + let(:policy) { described_class.new(developer, note) } + + it_behaves_like 'user can read the note' + it_behaves_like 'user can act on the note' + end + + context 'when user is not project member' do + let(:policy) { described_class.new(any_user, note) } + + it_behaves_like 'user can read the note' + end + + context 'when user is anonymous' do + let(:policy) { described_class.new(nil, note) } + + it_behaves_like 'user can read the note' + end + end + + context 'when it is a system note referencing a confidential issue' do + let(:confidential_issue) { create(:issue, :confidential, project: project) } + let(:note) { create(:note, system: true, noteable: issue, author: user, project: project, note: "mentioned in issue #{confidential_issue.to_reference(project)}") } + + before do + project.add_developer(developer) + end + + context 'when user is project member' do + let(:policy) { described_class.new(developer, note) } + + it_behaves_like 'user can read the note' + it_behaves_like 'user can act on the note' + end + + context 'when user is not project member' do + let(:policy) { described_class.new(any_user, note) } + + it_behaves_like 'user cannot read or act on the note' + end + + context 'when user is anonymous' do + let(:policy) { described_class.new(nil, note) } + + it_behaves_like 'user cannot read or act on the note' + end + end + end end end end diff --git a/spec/policies/resource_label_event_policy_spec.rb b/spec/policies/resource_label_event_policy_spec.rb new file mode 100644 index 00000000000..9206640ea00 --- /dev/null +++ b/spec/policies/resource_label_event_policy_spec.rb @@ -0,0 +1,67 @@ +require 'spec_helper' + +describe ResourceLabelEventPolicy do + set(:user) { create(:user) } + set(:project) { create(:project, :private) } + set(:issue) { create(:issue, project: project) } + set(:private_project) { create(:project, :private) } + + describe '#read_resource_label_event' do + context 'with non-member user' do + it 'does not allow to read event' do + event = build_event(project) + + expect(permissions(user, event)).to be_disallowed(:read_resource_label_event) + end + end + + context 'with member user' do + before do + project.add_guest(user) + end + + it 'allows to read event for accessible label' do + event = build_event(project) + + expect(permissions(user, event)).to be_allowed(:read_resource_label_event) + end + + it 'does not allow to read event for not accessible label' do + event = build_event(private_project) + + expect(permissions(user, event)).to be_disallowed(:read_resource_label_event) + end + end + end + + describe '#read_label' do + it 'allows to read deleted label' do + event = build(:resource_label_event, issue: issue, label: nil) + + expect(permissions(user, event)).to be_allowed(:read_label) + end + + it 'allows to read accessible label' do + project.add_guest(user) + event = build_event(project) + + expect(permissions(user, event)).to be_allowed(:read_label) + end + + it 'does not allow to read not accessible label' do + event = build_event(private_project) + + expect(permissions(user, event)).to be_disallowed(:read_label) + end + end + + def build_event(label_project) + label = create(:label, project: label_project) + + build(:resource_label_event, issue: issue, label: label) + end + + def permissions(user, issue) + described_class.new(user, issue) + end +end diff --git a/spec/requests/api/resource_label_events_spec.rb b/spec/requests/api/resource_label_events_spec.rb index 25bea627b0c..8bac378787c 100644 --- a/spec/requests/api/resource_label_events_spec.rb +++ b/spec/requests/api/resource_label_events_spec.rb @@ -5,28 +5,23 @@ require 'spec_helper' describe API::ResourceLabelEvents do set(:user) { create(:user) } set(:project) { create(:project, :public, namespace: user.namespace) } + set(:label) { create(:label, project: project) } before do project.add_developer(user) end context 'when eventable is an Issue' do - let(:issue) { create(:issue, project: project, author: user) } - it_behaves_like 'resource_label_events API', 'projects', 'issues', 'iid' do let(:parent) { project } - let(:eventable) { issue } - let!(:event) { create(:resource_label_event, issue: issue) } + let(:eventable) { create(:issue, project: project, author: user) } end end context 'when eventable is a Merge Request' do - let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) } - it_behaves_like 'resource_label_events API', 'projects', 'merge_requests', 'iid' do let(:parent) { project } - let(:eventable) { merge_request } - let!(:event) { create(:resource_label_event, merge_request: merge_request) } + let(:eventable) { create(:merge_request, source_project: project, target_project: project, author: user) } end end end diff --git a/spec/services/boards/lists/update_service_spec.rb b/spec/services/boards/lists/update_service_spec.rb index f28bbab941a..a5411a2fb3a 100644 --- a/spec/services/boards/lists/update_service_spec.rb +++ b/spec/services/boards/lists/update_service_spec.rb @@ -10,9 +10,8 @@ describe Boards::Lists::UpdateService do context 'when user can admin list' do it 'calls Lists::MoveService to update list position' do board.parent.add_developer(user) - service = described_class.new(board.parent, user, position: 1) - expect(Boards::Lists::MoveService).to receive(:new).with(board.parent, user, { position: 1 }).and_call_original + expect(Boards::Lists::MoveService).to receive(:new).with(board.parent, user, params).and_call_original expect_any_instance_of(Boards::Lists::MoveService).to receive(:execute).with(list) service.execute(list) @@ -21,8 +20,6 @@ describe Boards::Lists::UpdateService do context 'when user cannot admin list' do it 'does not call Lists::MoveService to update list position' do - service = described_class.new(board.parent, user, position: 1) - expect(Boards::Lists::MoveService).not_to receive(:new) service.execute(list) @@ -34,7 +31,6 @@ describe Boards::Lists::UpdateService do context 'when user can read list' do it 'updates list preference for user' do board.parent.add_guest(user) - service = described_class.new(board.parent, user, collapsed: true) service.execute(list) @@ -44,8 +40,6 @@ describe Boards::Lists::UpdateService do context 'when user cannot read list' do it 'does not update list preference for user' do - service = described_class.new(board.parent, user, collapsed: true) - service.execute(list) expect(list.preferences_for(user).collapsed).to be_nil @@ -54,35 +48,61 @@ describe Boards::Lists::UpdateService do end describe '#execute' do + let(:service) { described_class.new(board.parent, user, params) } + context 'when position parameter is present' do + let(:params) { { position: 1 } } + context 'for projects' do - it_behaves_like 'moving list' do - let(:project) { create(:project, :private) } - let(:board) { create(:board, project: project) } - end + let(:project) { create(:project, :private) } + let(:board) { create(:board, project: project) } + + it_behaves_like 'moving list' end context 'for groups' do - it_behaves_like 'moving list' do - let(:group) { create(:group, :private) } - let(:board) { create(:board, group: group) } - end + let(:group) { create(:group, :private) } + let(:board) { create(:board, group: group) } + + it_behaves_like 'moving list' end end context 'when collapsed parameter is present' do + let(:params) { { collapsed: true } } + context 'for projects' do - it_behaves_like 'updating list preferences' do - let(:project) { create(:project, :private) } - let(:board) { create(:board, project: project) } - end + let(:project) { create(:project, :private) } + let(:board) { create(:board, project: project) } + + it_behaves_like 'updating list preferences' end context 'for groups' do - it_behaves_like 'updating list preferences' do - let(:group) { create(:group, :private) } - let(:board) { create(:board, group: group) } - end + let(:project) { create(:project, :private) } + let(:board) { create(:board, project: project) } + + it_behaves_like 'updating list preferences' + end + end + + context 'when position and collapsed are both present' do + let(:params) { { collapsed: true, position: 1 } } + + context 'for projects' do + let(:project) { create(:project, :private) } + let(:board) { create(:board, project: project) } + + it_behaves_like 'moving list' + it_behaves_like 'updating list preferences' + end + + context 'for groups' do + let(:group) { create(:group, :private) } + let(:board) { create(:board, group: group) } + + it_behaves_like 'moving list' + it_behaves_like 'updating list preferences' end end end diff --git a/spec/services/ci/cancel_user_pipelines_service_spec.rb b/spec/services/ci/cancel_user_pipelines_service_spec.rb new file mode 100644 index 00000000000..251f21feaef --- /dev/null +++ b/spec/services/ci/cancel_user_pipelines_service_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Ci::CancelUserPipelinesService do + describe '#execute' do + let(:user) { create(:user) } + + subject { described_class.new.execute(user) } + + context 'when user has running CI pipelines' do + let(:pipeline) { create(:ci_pipeline, :running, user: user) } + let!(:build) { create(:ci_build, :running, pipeline: pipeline) } + + it 'cancels all running pipelines and related jobs' do + subject + + expect(pipeline.reload).to be_canceled + expect(build.reload).to be_canceled + end + end + end +end diff --git a/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb b/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb index 07c541ec189..f2f31e1b7f2 100644 --- a/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb +++ b/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb @@ -11,10 +11,6 @@ shared_examples_for 'multiple issue boards' do wait_for_requests end - it 'shows board switcher' do - expect(page).to have_css('.boards-switcher') - end - it 'shows current board name' do page.within('.boards-switcher') do expect(page).to have_content(board.name) diff --git a/spec/support/shared_examples/resource_label_events_api.rb b/spec/support/shared_examples/resource_label_events_api.rb index 945cb8d9f2c..6622df78ee2 100644 --- a/spec/support/shared_examples/resource_label_events_api.rb +++ b/spec/support/shared_examples/resource_label_events_api.rb @@ -2,43 +2,98 @@ shared_examples 'resource_label_events API' do |parent_type, eventable_type, id_name| describe "GET /#{parent_type}/:id/#{eventable_type}/:noteable_id/resource_label_events" do - it "returns an array of resource label events" do - get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", user) + context "with local label reference" do + let!(:event) { create_event(label) } - expect(response).to have_gitlab_http_status(200) - expect(response).to include_pagination_headers - expect(json_response).to be_an Array - expect(json_response.first['id']).to eq(event.id) - end + it "returns an array of resource label events" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", user) + + expect(response).to have_gitlab_http_status(200) + expect(response).to include_pagination_headers + expect(json_response).to be_an Array + expect(json_response.first['id']).to eq(event.id) + end + + it "returns a 404 error when eventable id not found" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/12345/resource_label_events", user) + + expect(response).to have_gitlab_http_status(404) + end + + it "returns 404 when not authorized" do + parent.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + private_user = create(:user) - it "returns a 404 error when eventable id not found" do - get api("/#{parent_type}/#{parent.id}/#{eventable_type}/12345/resource_label_events", user) + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", private_user) - expect(response).to have_gitlab_http_status(404) + expect(response).to have_gitlab_http_status(404) + end end - it "returns 404 when not authorized" do - parent.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) - private_user = create(:user) + context "with cross-project label reference" do + let(:private_project) { create(:project, :private) } + let(:project_label) { create(:label, project: private_project) } + let!(:event) { create_event(project_label) } - get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", private_user) + it "returns cross references accessible by user" do + private_project.add_guest(user) - expect(response).to have_gitlab_http_status(404) + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", user) + + expect(json_response).to be_an Array + expect(json_response.first['id']).to eq(event.id) + end + + it "does not return cross references not accessible by user" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events", user) + + expect(json_response).to be_an Array + expect(json_response).to eq [] + end end end describe "GET /#{parent_type}/:id/#{eventable_type}/:noteable_id/resource_label_events/:event_id" do - it "returns a resource label event by id" do - get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/#{event.id}", user) + context "with local label reference" do + let!(:event) { create_event(label) } + + it "returns a resource label event by id" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/#{event.id}", user) - expect(response).to have_gitlab_http_status(200) - expect(json_response['id']).to eq(event.id) + expect(response).to have_gitlab_http_status(200) + expect(json_response['id']).to eq(event.id) + end + + it "returns 404 when not authorized" do + parent.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + private_user = create(:user) + + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/#{event.id}", private_user) + + expect(response).to have_gitlab_http_status(404) + end + + it "returns a 404 error if resource label event not found" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/12345", user) + + expect(response).to have_gitlab_http_status(404) + end end - it "returns a 404 error if resource label event not found" do - get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/12345", user) + context "with cross-project label reference" do + let(:private_project) { create(:project, :private) } + let(:project_label) { create(:label, project: private_project) } + let!(:event) { create_event(project_label) } + + it "returns a 404 error if cross-reference project is not accessible" do + get api("/#{parent_type}/#{parent.id}/#{eventable_type}/#{eventable[id_name]}/resource_label_events/#{event.id}", user) - expect(response).to have_gitlab_http_status(404) + expect(response).to have_gitlab_http_status(404) + end end end + + def create_event(label) + create(:resource_label_event, eventable.class.name.underscore => eventable, label: label) + end end |