Commit 38282323 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'security-unauth-protected-branch-delete' into 'master'

[master] Resolve "Unauthorized user can delete protected branch's merge access levels and push access levels"

See merge request gitlab/gitlab-ee!693
parents 462e919d 2ea4bb4c
...@@ -58,14 +58,7 @@ scope format: false do ...@@ -58,14 +58,7 @@ scope format: false do
resource :release, only: [:edit, :update] resource :release, only: [:edit, :update]
end end
resources :protected_branches, only: [:index, :show, :create, :update, :destroy, :patch], constraints: { id: Gitlab::PathRegex.git_reference_regex } do resources :protected_branches, only: [:index, :show, :create, :update, :destroy, :patch], constraints: { id: Gitlab::PathRegex.git_reference_regex }
## EE-specific
scope module: :protected_branches do
resources :merge_access_levels, only: [:destroy]
resources :push_access_levels, only: [:destroy]
end
end
resources :protected_tags, only: [:index, :show, :create, :update, :destroy] resources :protected_tags, only: [:index, :show, :create, :update, :destroy]
end end
......
class Projects::ProtectedBranches::ApplicationController < Projects::ApplicationController
protected
def load_protected_branch
@protected_branch = @project.protected_branches.find(params[:protected_branch_id])
end
end
module Projects
module ProtectedBranches
class MergeAccessLevelsController < ProtectedBranches::ApplicationController
before_action :load_protected_branch, only: [:destroy]
def destroy
@merge_access_level = @protected_branch.merge_access_levels.find(params[:id])
@merge_access_level.destroy
redirect_to project_protected_branch_path(@project, @protected_branch),
status: 302,
notice: "Successfully deleted. #{@merge_access_level.humanize} will not be able to merge into this protected branch."
end
end
end
end
module Projects
module ProtectedBranches
class PushAccessLevelsController < ProtectedBranches::ApplicationController
before_action :load_protected_branch, only: [:destroy]
def destroy
@push_access_level = @protected_branch.push_access_levels.find(params[:id])
@push_access_level.destroy
redirect_to project_protected_branch_path(@project, @protected_branch),
status: 302,
notice: "Successfully deleted. #{@push_access_level.humanize} will not be able to push to this protected branch."
end
end
end
end
class Projects::ProtectedTags::ApplicationController < Projects::ApplicationController
protected
def load_protected_tag
@protected_tag = @project.protected_tags.find(params[:protected_tag_id])
end
end
module Projects
module ProtectedTags
class CreateAccessLevelsController < ProtectedTags::ApplicationController
before_action :load_protected_tag, only: [:destroy]
def destroy
@create_access_level = @protected_tag.create_access_levels.find(params[:id])
@create_access_level.destroy
redirect_to project_protected_tag_path(@project, @protected_tag),
status: 302,
notice: "Successfully deleted. #{@create_access_level.humanize} will not be able to create this protected tag."
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment