Check authorization in merge services

Move authorization checks to merge services instead relying solely on external checks.

Check authorization in merge services
Move authorization checks to merge services instead relying solely on external checks.
105212ce · Oswaldo Ferreira · 1ad69967 · 105212ce · 105212ce · 105212ce
Commit 105212ce authored Feb 11, 2019 by Oswaldo Ferreira
5 changed files
--- a/app/services/merge_requests/merge_base_service.rb
+++ b/app/services/merge_requests/merge_base_service.rb
@@ -27,6 +27,10 @@ module MergeRequests
    private
+    def raise_error(message)
+      raise MergeError, message
+    end
    def handle_merge_error(*args)
      # No-op
    end

--- a/app/services/merge_requests/merge_service.rb
+++ b/app/services/merge_requests/merge_service.rb
@@ -18,7 +18,7 @@ module MergeRequests
      @merge_request = merge_request
-      error_check!
+      validate!
      merge_request.in_locked_state do
        if commit
@@ -34,6 +34,17 @@ module MergeRequests
    private
+    def validate!
+      authorization_check!
+      error_check!
+    end
+    def authorization_check!
+      unless @merge_request.can_be_merged_by?(current_user)
+        raise_error('You are not allowed to merge this merge request')
+      end
+    end
    def error_check!
      error =
        if @merge_request.should_be_rebased?
@@ -44,7 +55,7 @@ module MergeRequests
          'No source for merge'
        end
-      raise MergeError, error if error
+      raise_error(error) if error
    end
    def commit
@@ -54,7 +65,7 @@ module MergeRequests
      if commit_id
        log_info("Git merge finished on JID #{merge_jid} commit #{commit_id}")
      else
-        raise MergeError, 'Conflicts detected during merge'
+        raise_error('Conflicts detected during merge')
      end
      merge_request.update!(merge_commit_sha: commit_id)
@@ -64,10 +75,10 @@ module MergeRequests
      repository.merge(current_user, source, merge_request, commit_message)
    rescue Gitlab::Git::PreReceiveError => e
      handle_merge_error(log_message: e.message)
-      raise MergeError, 'Something went wrong during merge pre-receive hook'
+      raise_error('Something went wrong during merge pre-receive hook')
    rescue => e
      handle_merge_error(log_message: e.message)
-      raise MergeError, 'Something went wrong during merge'
+      raise_error('Something went wrong during merge')
    ensure
      merge_request.update!(in_progress_merge_commit_sha: nil)
    end

--- a/app/services/merge_requests/merge_to_ref_service.rb
+++ b/app/services/merge_requests/merge_to_ref_service.rb
@@ -14,11 +14,11 @@ module MergeRequests
    def execute(merge_request)
      @merge_request = merge_request
-      error_check!
+      validate!
      commit_id = commit
-      raise MergeError, 'Conflicts detected during merge' unless commit_id
+      raise_error('Conflicts detected during merge') unless commit_id
      success(commit_id: commit_id)
    rescue MergeError => error
@@ -27,6 +27,11 @@ module MergeRequests
    private
+    def validate!
+      authorization_check!
+      error_check!
+    end
    def error_check!
      error =
        if !merge_method_supported?
@@ -41,7 +46,13 @@ module MergeRequests
          'No source for merge'
        end
-      raise MergeError, error if error
+      raise_error(error) if error
+    end
+    def authorization_check!
+      unless Ability.allowed?(current_user, :admin_merge_request, project)
+        raise_error("You are not allowed to merge to this ref")
+      end
    end
    def target_ref

--- a/spec/services/merge_requests/merge_service_spec.rb
+++ b/spec/services/merge_requests/merge_service_spec.rb
@@ -224,6 +224,18 @@ describe MergeRequests::MergeService do
        expect(Rails.logger).to have_received(:error).with(a_string_matching(error_message))
      end
+      it 'logs and saves error if user is not authorized' do
+        unauthorized_user = create(:user)
+        project.add_reporter(unauthorized_user)
+        service = described_class.new(project, unauthorized_user)
+        service.execute(merge_request)
+        expect(merge_request.merge_error)
+          .to eq('You are not allowed to merge this merge request')
+      end
      it 'logs and saves error if there is an PreReceiveError exception' do
        error_message = 'error message'

--- a/spec/services/merge_requests/merge_to_ref_service_spec.rb
+++ b/spec/services/merge_requests/merge_to_ref_service_spec.rb
@@ -3,6 +3,22 @@
 require 'spec_helper'
 describe MergeRequests::MergeToRefService do
+  shared_examples_for 'MergeService for target ref' do
+    it 'target_ref has the same state of target branch' do
+      repo = merge_request.target_project.repository
+      process_merge_to_ref
+      merge_service.execute(merge_request)
+      ref_commits = repo.commits(merge_request.merge_ref_path, limit: 3)
+      target_branch_commits = repo.commits(merge_request.target_branch, limit: 3)
+      ref_commits.zip(target_branch_commits).each do |ref_commit, target_branch_commit|
+        expect(ref_commit.parents).to eq(target_branch_commit.parents)
+      end
+    end
+  end
  set(:user) { create(:user) }
  let(:merge_request) { create(:merge_request, :simple) }
  let(:project) { merge_request.project }
@@ -76,22 +92,6 @@ describe MergeRequests::MergeToRefService do
        MergeRequests::MergeService.new(project, user, {})
      end
-      shared_examples_for 'MergeService for target ref' do
-        it 'target_ref has the same state of target branch' do
-          repo = merge_request.target_project.repository
-          process_merge_to_ref
-          merge_service.execute(merge_request)
-          ref_commits = repo.commits(merge_request.merge_ref_path, limit: 3)
-          target_branch_commits = repo.commits(merge_request.target_branch, limit: 3)
-          ref_commits.zip(target_branch_commits).each do |ref_commit, target_branch_commit|
-            expect(ref_commit.parents).to eq(target_branch_commit.parents)
-          end
-        end
-      end
      context 'when merge commit' do
        it_behaves_like 'MergeService for target ref'
      end
@@ -176,5 +176,17 @@ describe MergeRequests::MergeToRefService do
      it { expect(todo).not_to be_done }
    end
+    it 'returns error when user has no authorization to admin the merge request' do
+      unauthorized_user = create(:user)
+      project.add_reporter(unauthorized_user)
+      service = described_class.new(project, unauthorized_user)
+      result = service.execute(merge_request)
+      expect(result[:status]).to eq(:error)
+      expect(result[:message]).to eq('You are not allowed to merge to this ref')
+    end
  end
 end