summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-03-04 18:36:58 +0000
committerYorick Peterse <yorickpeterse@gmail.com>2019-03-04 18:36:58 +0000
commit9d9591f43c0d0948267a75fc098f0c325aa75535 (patch)
tree6e3704a2eb23b038c1498a88e5c15c38eb121eb7
parent9803962d343d3beb3513d4d8c72e1b6895731d86 (diff)
parent5dc047dc72c08a64aaf4f4a0c9fe0fba2742b905 (diff)
downloadgitlab-ce-9d9591f43c0d0948267a75fc098f0c325aa75535.tar.gz
Merge branch 'security-2798-fix-boards-policy' into 'master'
Disable issue board policies when issues are disabled Closes #2798 See merge request gitlab/gitlabhq!2894
-rw-r--r--app/policies/project_policy.rb2
-rw-r--r--changelogs/unreleased/security-2798-fix-boards-policy.yml5
-rw-r--r--spec/policies/project_policy_spec.rb20
3 files changed, 19 insertions, 8 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 95dd8b2795e..9ed868f4f2e 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue))
+ prevent(*create_read_update_admin_destroy(:board))
+ prevent(*create_read_update_admin_destroy(:list))
end
rule { merge_requests_disabled | repository_disabled }.policy do
diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml
new file mode 100644
index 00000000000..10e8ac3a787
--- /dev/null
+++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml
@@ -0,0 +1,5 @@
+---
+title: Disable issue boards API when issues are disabled
+merge_request:
+author:
+type: security
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 93a468f585b..f8d581ef38f 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -130,22 +130,26 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
context 'when the feature is disabled' do
- it 'does not include the issues permissions' do
+ before do
project.issues_enabled = false
project.save!
+ end
+ it 'does not include the issues permissions' do
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
- end
- context 'when the feature is disabled and external tracker configured' do
- it 'does not include the issues permissions' do
- create(:jira_service, project: project)
+ it 'disables boards and lists permissions' do
+ expect_disallowed :read_board, :create_board, :update_board, :admin_board
+ expect_disallowed :read_list, :create_list, :update_list, :admin_list
+ end
- project.issues_enabled = false
- project.save!
+ context 'when external tracker configured' do
+ it 'does not include the issues permissions' do
+ create(:jira_service, project: project)
- expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
+ expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
+ end
end
end
end