diff options
author | Sean McGivern <sean@gitlab.com> | 2017-11-22 17:24:11 +0000 |
---|---|---|
committer | Michael Kozono <mkozono@gmail.com> | 2017-12-08 13:48:18 -0800 |
commit | c59ae5470546d1169ee3ab89486140e815400f31 (patch) | |
tree | db38c48c79fad894ffb67393bec70576186ecf9c | |
parent | 8f29d2640ffb29c7ca8c0ab1136aa1959582db3a (diff) | |
download | gitlab-ce-c59ae5470546d1169ee3ab89486140e815400f31.tar.gz |
Merge branch 'issue_30663' into 'security-10-2'
Prevent creating issues through API without having permissions
See merge request gitlab/gitlabhq!2225
(cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c)
915b97c5 Prevent creating issues through API without having permissions
-rw-r--r-- | changelogs/unreleased/issue_30663.yml | 5 | ||||
-rw-r--r-- | lib/api/issues.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/issues_spec.rb | 14 |
3 files changed, 21 insertions, 0 deletions
diff --git a/changelogs/unreleased/issue_30663.yml b/changelogs/unreleased/issue_30663.yml new file mode 100644 index 00000000000..b20ed6a82e7 --- /dev/null +++ b/changelogs/unreleased/issue_30663.yml @@ -0,0 +1,5 @@ +--- +title: Prevent creating issues through API when user does not have permissions +merge_request: +author: +type: security diff --git a/lib/api/issues.rb b/lib/api/issues.rb index e60e00d7956..5f943ba27d1 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -161,6 +161,8 @@ module API use :issue_params end post ':id/issues' do + authorize! :create_issue, user_project + # Setting created_at time only allowed for admins and project owners unless current_user.admin? || user_project.owner == current_user params.delete(:created_at) diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb index 99525cd0a6a..3f5070a1fd2 100644 --- a/spec/requests/api/issues_spec.rb +++ b/spec/requests/api/issues_spec.rb @@ -860,6 +860,20 @@ describe API::Issues, :mailer do end end + context 'user does not have permissions to create issue' do + let(:not_member) { create(:user) } + + before do + project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE) + end + + it 'renders 403' do + post api("/projects/#{project.id}/issues", not_member), title: 'new issue' + + expect(response).to have_gitlab_http_status(403) + end + end + it 'creates a new project issue' do post api("/projects/#{project.id}/issues", user), title: 'new issue', labels: 'label, label2', weight: 3, |