Merge branch 'ci-runners-master-or-owner' into 'master'

Show specific runners from projects where user is master or owner

This fix for permission escalation when handling specific runners.

The users were allowed to assign runners from projects where they were guests.


See merge request !1809

1 files changed, 10 insertions, 5 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 9ffadcf4468..61abea1f6ea 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -405,6 +405,15 @@ class User < ActiveRecord::Base
     end
   end
 
+  def master_or_owner_projects_id
+    @master_or_owner_projects_id ||= begin
+      scope = { access_level: [ Gitlab::Access::MASTER, Gitlab::Access::OWNER ] }
+      project_ids = personal_projects.pluck(:id)
+      project_ids.push(*groups_projects.where(members: scope).pluck(:id))
+      project_ids.push(*projects.where(members: scope).pluck(:id).uniq)
+    end
+  end
+
   # Projects user has access to
   def authorized_projects
     @authorized_projects ||= Project.where(id: authorized_projects_id)
@@ -765,14 +774,10 @@ class User < ActiveRecord::Base
     !solo_owned_groups.present?
   end
 
-  def ci_authorized_projects
-    @ci_authorized_projects ||= Ci::Project.where(gitlab_id: authorized_projects_id)
-  end
-
   def ci_authorized_runners
     @ci_authorized_runners ||= begin
       runner_ids = Ci::RunnerProject.joins(:project).
-        where(ci_projects: { gitlab_id: authorized_projects_id }).select(:runner_id)
+        where(ci_projects: { gitlab_id: master_or_owner_projects_id }).select(:runner_id)
       Ci::Runner.specific.where(id: runner_ids)
     end
   end