summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2017-11-22 17:24:11 +0000
committerMichael Kozono <mkozono@gmail.com>2017-12-08 13:48:18 -0800
commitc59ae5470546d1169ee3ab89486140e815400f31 (patch)
treedb38c48c79fad894ffb67393bec70576186ecf9c
parent8f29d2640ffb29c7ca8c0ab1136aa1959582db3a (diff)
downloadgitlab-ce-c59ae5470546d1169ee3ab89486140e815400f31.tar.gz
Merge branch 'issue_30663' into 'security-10-2'
Prevent creating issues through API without having permissions See merge request gitlab/gitlabhq!2225 (cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c) 915b97c5 Prevent creating issues through API without having permissions
-rw-r--r--changelogs/unreleased/issue_30663.yml5
-rw-r--r--lib/api/issues.rb2
-rw-r--r--spec/requests/api/issues_spec.rb14
3 files changed, 21 insertions, 0 deletions
diff --git a/changelogs/unreleased/issue_30663.yml b/changelogs/unreleased/issue_30663.yml
new file mode 100644
index 00000000000..b20ed6a82e7
--- /dev/null
+++ b/changelogs/unreleased/issue_30663.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent creating issues through API when user does not have permissions
+merge_request:
+author:
+type: security
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index e60e00d7956..5f943ba27d1 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -161,6 +161,8 @@ module API
use :issue_params
end
post ':id/issues' do
+ authorize! :create_issue, user_project
+
# Setting created_at time only allowed for admins and project owners
unless current_user.admin? || user_project.owner == current_user
params.delete(:created_at)
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index 99525cd0a6a..3f5070a1fd2 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -860,6 +860,20 @@ describe API::Issues, :mailer do
end
end
+ context 'user does not have permissions to create issue' do
+ let(:not_member) { create(:user) }
+
+ before do
+ project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+ end
+
+ it 'renders 403' do
+ post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
+
+ expect(response).to have_gitlab_http_status(403)
+ end
+ end
+
it 'creates a new project issue' do
post api("/projects/#{project.id}/issues", user),
title: 'new issue', labels: 'label, label2', weight: 3,