Commit 2f0050fb authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'

[master] Don't process MR refs for guests in the notes

See merge request gitlab/gitlabhq!2771
parents 90e22335 81fee361
...@@ -393,7 +393,7 @@ class ProjectPolicy < BasePolicy ...@@ -393,7 +393,7 @@ class ProjectPolicy < BasePolicy
end.enable :read_issue_iid end.enable :read_issue_iid
rule do rule do
(can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
end.enable :read_merge_request_iid end.enable :read_merge_request_iid
rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
......
---
title: Don't process MR refs for guests in the notes
merge_request: 2771
author:
type: security
...@@ -12,7 +12,7 @@ describe ProjectPolicy do ...@@ -12,7 +12,7 @@ describe ProjectPolicy do
let(:base_guest_permissions) do let(:base_guest_permissions) do
%i[ %i[
read_project read_board read_list read_wiki read_issue read_project read_board read_list read_wiki read_issue
read_project_for_iids read_issue_iid read_merge_request_iid read_label read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release award_emoji read_release
...@@ -164,6 +164,16 @@ describe ProjectPolicy do ...@@ -164,6 +164,16 @@ describe ProjectPolicy do
end end
end end
context 'for a guest in a private project' do
let(:project) { create(:project, :private) }
subject { described_class.new(guest, project) }
it 'disallows the guest from reading the merge request and merge request iid' do
expect_disallowed(:read_merge_request)
expect_disallowed(:read_merge_request_iid)
end
end
context 'builds feature' do context 'builds feature' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment