Commit 25f4c592 authored by Peter Leitzen's avatar Peter Leitzen

Merge branch '216505-public-dashboard-visibility' into 'master'

Fix public dashboard visibility bug

Closes #216505

See merge request gitlab-org/gitlab!31925
parents adafbefe 34719402
...@@ -280,6 +280,9 @@ class ProjectPolicy < BasePolicy ...@@ -280,6 +280,9 @@ class ProjectPolicy < BasePolicy
enable :read_prometheus enable :read_prometheus
enable :read_environment enable :read_environment
enable :read_deployment enable :read_deployment
end
rule { ~anonymous & can?(:metrics_dashboard) }.policy do
enable :create_metrics_user_starred_dashboard enable :create_metrics_user_starred_dashboard
enable :read_metrics_user_starred_dashboard enable :read_metrics_user_starred_dashboard
end end
...@@ -426,11 +429,27 @@ class ProjectPolicy < BasePolicy ...@@ -426,11 +429,27 @@ class ProjectPolicy < BasePolicy
rule { builds_disabled | repository_disabled }.policy do rule { builds_disabled | repository_disabled }.policy do
prevent(*create_read_update_admin_destroy(:build)) prevent(*create_read_update_admin_destroy(:build))
prevent(*create_read_update_admin_destroy(:pipeline_schedule)) prevent(*create_read_update_admin_destroy(:pipeline_schedule))
prevent(*create_read_update_admin_destroy(:environment))
prevent(*create_read_update_admin_destroy(:cluster)) prevent(*create_read_update_admin_destroy(:cluster))
prevent(*create_read_update_admin_destroy(:deployment)) prevent(*create_read_update_admin_destroy(:deployment))
end end
# Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is
# necessary due to the route for metrics dashboard requiring an environment id.
# This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when
# environments and metrics are decoupled and these rules will be removed.
rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do
prevent(*create_read_update_admin_destroy(:environment))
end
rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do
prevent :create_environment
prevent :update_environment
prevent :admin_environment
prevent :destroy_environment
enable :read_environment
end
# There's two separate cases when builds_disabled is true: # There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
# - We do not prevent the user from accessing Pipelines to allow them to access external CI # - We do not prevent the user from accessing Pipelines to allow them to access external CI
......
---
title: Fix public metrics dashboard visibility bug
merge_request: 31925
author:
type: fixed
...@@ -218,6 +218,11 @@ describe ProjectPolicy do ...@@ -218,6 +218,11 @@ describe ProjectPolicy do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end end
context 'without metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions except pipeline when the feature is disabled' do it 'disallows all permissions except pipeline when the feature is disabled' do
builds_permissions = [ builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
...@@ -231,6 +236,26 @@ describe ProjectPolicy do ...@@ -231,6 +236,26 @@ describe ProjectPolicy do
end end
end end
context 'with metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do
builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
]
expect_disallowed(*builds_permissions)
expect_allowed(:read_environment)
end
end
end
context 'when builds are disabled only for some users' do context 'when builds are disabled only for some users' do
subject { described_class.new(guest, project) } subject { described_class.new(guest, project) }
...@@ -252,9 +277,16 @@ describe ProjectPolicy do ...@@ -252,9 +277,16 @@ describe ProjectPolicy do
context 'repository feature' do context 'repository feature' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do before do
project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
end
context 'without metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions when the feature is disabled' do
repository_permissions = [ repository_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
...@@ -269,6 +301,28 @@ describe ProjectPolicy do ...@@ -269,6 +301,28 @@ describe ProjectPolicy do
end end
end end
context 'with metrics_dashboard_allowed' do
before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
it 'disallows all permissions when the feature is disabled' do
repository_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release
]
expect_disallowed(*repository_permissions)
expect_allowed(:read_environment)
end
end
end
it_behaves_like 'project policies as anonymous' it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest' it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter' it_behaves_like 'project policies as reporter'
...@@ -576,8 +630,8 @@ describe ProjectPolicy do ...@@ -576,8 +630,8 @@ describe ProjectPolicy do
it { is_expected.to be_allowed(:metrics_dashboard) } it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) } it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_allowed(:read_deployment) }
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment