diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:36:58 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:36:58 +0000 |
commit | 9d9591f43c0d0948267a75fc098f0c325aa75535 (patch) | |
tree | 6e3704a2eb23b038c1498a88e5c15c38eb121eb7 | |
parent | 9803962d343d3beb3513d4d8c72e1b6895731d86 (diff) | |
parent | 5dc047dc72c08a64aaf4f4a0c9fe0fba2742b905 (diff) | |
download | gitlab-ce-9d9591f43c0d0948267a75fc098f0c325aa75535.tar.gz |
Merge branch 'security-2798-fix-boards-policy' into 'master'
Disable issue board policies when issues are disabled
Closes #2798
See merge request gitlab/gitlabhq!2894
-rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-2798-fix-boards-policy.yml | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 20 |
3 files changed, 19 insertions, 8 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 95dd8b2795e..9ed868f4f2e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy rule { issues_disabled }.policy do prevent(*create_read_update_admin_destroy(:issue)) + prevent(*create_read_update_admin_destroy(:board)) + prevent(*create_read_update_admin_destroy(:list)) end rule { merge_requests_disabled | repository_disabled }.policy do diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml new file mode 100644 index 00000000000..10e8ac3a787 --- /dev/null +++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml @@ -0,0 +1,5 @@ +--- +title: Disable issue boards API when issues are disabled +merge_request: +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 93a468f585b..f8d581ef38f 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -130,22 +130,26 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } context 'when the feature is disabled' do - it 'does not include the issues permissions' do + before do project.issues_enabled = false project.save! + end + it 'does not include the issues permissions' do expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue end - end - context 'when the feature is disabled and external tracker configured' do - it 'does not include the issues permissions' do - create(:jira_service, project: project) + it 'disables boards and lists permissions' do + expect_disallowed :read_board, :create_board, :update_board, :admin_board + expect_disallowed :read_list, :create_list, :update_list, :admin_list + end - project.issues_enabled = false - project.save! + context 'when external tracker configured' do + it 'does not include the issues permissions' do + create(:jira_service, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + end end end end |