Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
GitLab
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Analytics
Analytics
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
projects.thm.de
GitLab
Commits
3a321c80
Commit
3a321c80
authored
Feb 11, 2019
by
Małgorzata Ksionek
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Secure vulerability and add specs
parent
d40a3809
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
69 additions
and
11 deletions
+69
-11
app/policies/group_policy.rb
app/policies/group_policy.rb
+0
-1
changelogs/unreleased/security-shared-project-private-group.yml
...logs/unreleased/security-shared-project-private-group.yml
+5
-0
spec/controllers/projects/group_links_controller_spec.rb
spec/controllers/projects/group_links_controller_spec.rb
+2
-0
spec/features/security/group/private_access_spec.rb
spec/features/security/group/private_access_spec.rb
+28
-4
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+34
-6
No files found.
app/policies/group_policy.rb
View file @
3a321c80
...
@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
...
@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
rule
{
admin
}.
enable
:read_group
rule
{
admin
}.
enable
:read_group
rule
{
has_projects
}.
policy
do
rule
{
has_projects
}.
policy
do
enable
:read_group
enable
:read_label
enable
:read_label
end
end
...
...
changelogs/unreleased/security-shared-project-private-group.yml
0 → 100644
View file @
3a321c80
---
title
:
Fixed ability to see private groups by users not belonging to given group
merge_request
:
author
:
type
:
security
spec/controllers/projects/group_links_controller_spec.rb
View file @
3a321c80
...
@@ -67,6 +67,8 @@
...
@@ -67,6 +67,8 @@
context
'when project group id equal link group id'
do
context
'when project group id equal link group id'
do
before
do
before
do
group2
.
add_developer
(
user
)
post
(
:create
,
params:
{
post
(
:create
,
params:
{
namespace_id:
project
.
namespace
,
namespace_id:
project
.
namespace
,
project_id:
project
,
project_id:
project
,
...
...
spec/features/security/group/private_access_spec.rb
View file @
3a321c80
...
@@ -27,7 +27,7 @@
...
@@ -27,7 +27,7 @@
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -42,7 +42,7 @@
...
@@ -42,7 +42,7 @@
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -58,7 +58,7 @@
...
@@ -58,7 +58,7 @@
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -73,7 +73,7 @@
...
@@ -73,7 +73,7 @@
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
...
@@ -93,4 +93,28 @@
...
@@ -93,4 +93,28 @@
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
end
end
describe
'GET /groups/:path for shared projects'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
create
(
:user
),
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
subject
{
group_path
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:reporter
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:guest
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
project_guest
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
end
end
end
spec/policies/group_policy_spec.rb
View file @
3a321c80
...
@@ -74,6 +74,38 @@ def expect_disallowed(*permissions)
...
@@ -74,6 +74,38 @@ def expect_disallowed(*permissions)
end
end
end
end
context
'with no user and public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
nil
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
user
,
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
it
{
expect_disallowed
(
:read_group
)
}
end
context
'with foreign user and public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
before
do
Projects
::
GroupLinks
::
CreateService
.
new
(
project
,
user
,
link_group_access:
ProjectGroupLink
::
DEVELOPER
).
execute
(
group
)
end
it
{
expect_disallowed
(
:read_group
)
}
end
context
'has projects'
do
context
'has projects'
do
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
...
@@ -82,17 +114,13 @@ def expect_disallowed(*permissions)
...
@@ -82,17 +114,13 @@ def expect_disallowed(*permissions)
project
.
add_developer
(
current_user
)
project
.
add_developer
(
current_user
)
end
end
it
do
it
{
expect_allowed
(
:read_label
)
}
expect_allowed
(
:read_group
,
:read_label
)
end
context
'in subgroups'
,
:nested_groups
do
context
'in subgroups'
,
:nested_groups
do
let
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
subgroup
)
}
let
(
:project
)
{
create
(
:project
,
namespace:
subgroup
)
}
it
do
it
{
expect_allowed
(
:read_label
)
}
expect_allowed
(
:read_group
,
:read_label
)
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment