Commit 2b2efbc6 authored by John T Skarbek's avatar John T Skarbek

Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'

parents affa81eb 7b52cff4
......@@ -35,6 +35,8 @@ class SlashCommandsService < Service
chat_user = find_chat_user(params)
if chat_user&.user
return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
else
url = authorize_chat_name_url(params)
......
......@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
enable :access_git
enable :receive_notifications
enable :use_quick_actions
enable :use_slash_commands
end
rule { blocked | internal }.policy do
......@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
prevent :access_api
prevent :access_git
prevent :receive_notifications
prevent :use_slash_commands
end
rule { required_terms_not_accepted }.policy do
......@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
rule { access_locked }.policy do
prevent :log_in
prevent :use_slash_commands
end
rule { ~(anonymous & restricted_public_level) }.policy do
......
---
title: Restrict slash commands to users who can log in
merge_request:
author:
type: security
......@@ -226,4 +226,32 @@ describe GlobalPolicy do
it { is_expected.not_to be_allowed(:read_instance_statistics) }
end
end
describe 'slash commands' do
context 'regular user' do
it { is_expected.to be_allowed(:use_slash_commands) }
end
context 'when internal' do
let(:current_user) { User.ghost }
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when blocked' do
before do
current_user.block
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when access locked' do
before do
current_user.lock_access!
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
end
end
......@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do
subject.trigger(params)
end
context 'when user is blocked' do
before do
chat_name.user.block
end
it 'blocks command execution' do
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
result = subject.trigger(params)
expect(result).to include(text: /^Whoops! This action is not allowed/)
end
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment