Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4cfa0b8a
Commit
4cfa0b8a
authored
Nov 28, 2018
by
Reuben Pereira
Committed by
Cindy Pallares
Nov 28, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[master] Operations settings page visible to reporter users
parent
c270ade7
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
75 additions
and
69 deletions
+75
-69
ee/app/controllers/projects/settings/operations_controller.rb
...pp/controllers/projects/settings/operations_controller.rb
+1
-2
ee/app/controllers/projects/tracings_controller.rb
ee/app/controllers/projects/tracings_controller.rb
+1
-1
ee/changelogs/unreleased/security-358-operations-page-visible-to-reporters.yml
...sed/security-358-operations-page-visible-to-reporters.yml
+5
-0
ee/spec/controllers/projects/settings/operations_controller_spec.rb
...ntrollers/projects/settings/operations_controller_spec.rb
+35
-23
ee/spec/controllers/projects/tracings_controller_spec.rb
ee/spec/controllers/projects/tracings_controller_spec.rb
+33
-43
No files found.
ee/app/controllers/projects/settings/operations_controller.rb
View file @
4cfa0b8a
...
@@ -4,8 +4,7 @@ module Projects
...
@@ -4,8 +4,7 @@ module Projects
module
Settings
module
Settings
class
OperationsController
<
Projects
::
ApplicationController
class
OperationsController
<
Projects
::
ApplicationController
before_action
:check_license
before_action
:check_license
before_action
:authorize_update_environment!
,
only:
[
:create
,
:update
]
before_action
:authorize_update_environment!
before_action
:authorize_read_environment!
,
only:
[
:show
]
def
show
def
show
@tracing_settings
||=
ProjectTracingSetting
.
for_project
(
@project
)
@tracing_settings
||=
ProjectTracingSetting
.
for_project
(
@project
)
...
...
ee/app/controllers/projects/tracings_controller.rb
View file @
4cfa0b8a
...
@@ -2,7 +2,7 @@
...
@@ -2,7 +2,7 @@
class
Projects::TracingsController
<
Projects
::
ApplicationController
class
Projects::TracingsController
<
Projects
::
ApplicationController
before_action
:check_license
before_action
:check_license
before_action
:authorize_
read_environment!
,
only:
[
:show
]
before_action
:authorize_
update_environment!
def
show
def
show
end
end
...
...
ee/changelogs/unreleased/security-358-operations-page-visible-to-reporters.yml
0 → 100644
View file @
4cfa0b8a
---
title
:
Prevent reporter roles from viewing the Jaeger tracing settings page
merge_request
:
author
:
type
:
security
ee/spec/controllers/projects/settings/operations_controller_spec.rb
View file @
4cfa0b8a
...
@@ -10,21 +10,27 @@ describe Projects::Settings::OperationsController do
...
@@ -10,21 +10,27 @@ describe Projects::Settings::OperationsController do
end
end
describe
'GET show'
do
describe
'GET show'
do
shared_examples
'user without
access to project
'
do
|
project_visibility
|
shared_examples
'user without
read access
'
do
|
project_visibility
|
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
%w[guest reporter developer]
.
each
do
|
role
|
before
do
project
.
public_send
(
"add_
#{
role
}
"
,
user
)
end
it
'returns 404'
do
it
'returns 404'
do
get
:show
,
namespace_id:
project
.
namespace
,
project_id:
project
get
:show
,
namespace_id:
project
.
namespace
,
project_id:
project
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
end
end
shared_examples
'user with
access to project
'
do
|
project_visibility
|
shared_examples
'user with
read access
'
do
|
project_visibility
|
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
before
do
before
do
project
.
add_
report
er
(
user
)
project
.
add_
maintain
er
(
user
)
end
end
it
'renders ok'
do
it
'renders ok'
do
...
@@ -50,16 +56,16 @@ describe Projects::Settings::OperationsController do
...
@@ -50,16 +56,16 @@ describe Projects::Settings::OperationsController do
stub_licensed_features
(
tracing:
true
)
stub_licensed_features
(
tracing:
true
)
end
end
context
'w
hen logged in with correct permission
'
do
context
'w
ith maintainer role
'
do
it_behaves_like
'user with
access to project
'
,
:public
it_behaves_like
'user with
read access
'
,
:public
it_behaves_like
'user with
access to project
'
,
:private
it_behaves_like
'user with
read access
'
,
:private
it_behaves_like
'user with
access to project
'
,
:internal
it_behaves_like
'user with
read access
'
,
:internal
end
end
context
'w
hen logged in without correct permission
'
do
context
'w
ithout maintainer role
'
do
it_behaves_like
'user without
access to project
'
,
:public
it_behaves_like
'user without
read access
'
,
:public
it_behaves_like
'user without
access to project
'
,
:private
it_behaves_like
'user without
read access
'
,
:private
it_behaves_like
'user without
access to project
'
,
:internal
it_behaves_like
'user without
read access
'
,
:internal
end
end
context
'when user not logged in'
do
context
'when user not logged in'
do
...
@@ -67,7 +73,7 @@ describe Projects::Settings::OperationsController do
...
@@ -67,7 +73,7 @@ describe Projects::Settings::OperationsController do
sign_out
(
user
)
sign_out
(
user
)
end
end
it_behaves_like
'user without
access to project
'
,
:public
it_behaves_like
'user without
read access
'
,
:public
it_behaves_like
'user needs to login'
,
:private
it_behaves_like
'user needs to login'
,
:private
it_behaves_like
'user needs to login'
,
:internal
it_behaves_like
'user needs to login'
,
:internal
...
@@ -79,9 +85,9 @@ describe Projects::Settings::OperationsController do
...
@@ -79,9 +85,9 @@ describe Projects::Settings::OperationsController do
stub_licensed_features
(
tracing:
false
)
stub_licensed_features
(
tracing:
false
)
end
end
it_behaves_like
'user without
access to project
'
,
:public
it_behaves_like
'user without
read access
'
,
:public
it_behaves_like
'user without
access to project
'
,
:private
it_behaves_like
'user without
read access
'
,
:private
it_behaves_like
'user without
access to project
'
,
:internal
it_behaves_like
'user without
read access
'
,
:internal
end
end
end
end
...
@@ -99,12 +105,18 @@ describe Projects::Settings::OperationsController do
...
@@ -99,12 +105,18 @@ describe Projects::Settings::OperationsController do
shared_examples
'user without write access'
do
|
project_visibility
|
shared_examples
'user without write access'
do
|
project_visibility
|
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
let
(
:project
)
{
create
(
:project
,
project_visibility
)
}
%w[guest reporter developer]
.
each
do
|
role
|
before
do
project
.
public_send
(
"add_
#{
role
}
"
,
user
)
end
it
'does not update tracing external_url'
do
it
'does not update tracing external_url'
do
update_project
(
project
,
external_url:
'https://gitlab.com'
)
update_project
(
project
,
external_url:
'https://gitlab.com'
)
expect
(
project
.
tracing_setting
).
to
be_nil
expect
(
project
.
tracing_setting
).
to
be_nil
end
end
end
end
end
context
'with a license'
do
context
'with a license'
do
before
do
before
do
...
@@ -125,13 +137,13 @@ describe Projects::Settings::OperationsController do
...
@@ -125,13 +137,13 @@ describe Projects::Settings::OperationsController do
end
end
end
end
context
'with
authorized user
'
do
context
'with
maintainer role
'
do
it_behaves_like
'user with write access'
,
:public
,
'https://gitlab.com'
,
'https://gitlab.com'
it_behaves_like
'user with write access'
,
:public
,
'https://gitlab.com'
,
'https://gitlab.com'
it_behaves_like
'user with write access'
,
:private
,
'https://gitlab.com'
,
'https://gitlab.com'
it_behaves_like
'user with write access'
,
:private
,
'https://gitlab.com'
,
'https://gitlab.com'
it_behaves_like
'user with write access'
,
:internal
,
'https://gitlab.com'
,
'https://gitlab.com'
it_behaves_like
'user with write access'
,
:internal
,
'https://gitlab.com'
,
'https://gitlab.com'
end
end
context
'with
unauthorized user
'
do
context
'with
non maintainer roles
'
do
it_behaves_like
'user without write access'
,
:public
it_behaves_like
'user without write access'
,
:public
it_behaves_like
'user without write access'
,
:private
it_behaves_like
'user without write access'
,
:private
it_behaves_like
'user without write access'
,
:internal
it_behaves_like
'user without write access'
,
:internal
...
...
ee/spec/controllers/projects/tracings_controller_spec.rb
View file @
4cfa0b8a
...
@@ -6,17 +6,11 @@ describe Projects::TracingsController do
...
@@ -6,17 +6,11 @@ describe Projects::TracingsController do
set
(
:user
)
{
create
(
:user
)
}
set
(
:user
)
{
create
(
:user
)
}
describe
'GET show'
do
describe
'GET show'
do
describe
'with valid license'
do
shared_examples
'user with read access'
do
|
visibility_level
|
before
do
stub_licensed_features
(
tracing:
true
)
end
shared_examples
'authorized user'
do
|
visibility_level
|
let
(
:project
)
{
create
(
:project
,
visibility_level
)
}
let
(
:project
)
{
create
(
:project
,
visibility_level
)
}
before
do
before
do
project
.
add_reporter
(
user
)
project
.
add_maintainer
(
user
)
sign_in
(
user
)
end
end
it
'renders OK'
do
it
'renders OK'
do
...
@@ -27,15 +21,12 @@ describe Projects::TracingsController do
...
@@ -27,15 +21,12 @@ describe Projects::TracingsController do
end
end
end
end
it_behaves_like
'authorized user'
,
:public
shared_examples
'user without read access'
do
|
visibility_level
|
it_behaves_like
'authorized user'
,
:internal
it_behaves_like
'authorized user'
,
:private
shared_examples
'unauthorized user'
do
|
visibility_level
|
let
(
:project
)
{
create
(
:project
,
visibility_level
)
}
let
(
:project
)
{
create
(
:project
,
visibility_level
)
}
%w[guest reporter developer]
.
each
do
|
role
|
before
do
before
do
sign_in
(
user
)
project
.
public_send
(
"add_
#{
role
}
"
,
user
)
end
end
it
'returns 404'
do
it
'returns 404'
do
...
@@ -44,37 +35,36 @@ describe Projects::TracingsController do
...
@@ -44,37 +35,36 @@ describe Projects::TracingsController do
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
end
it_behaves_like
'unauthorized user'
,
:public
it_behaves_like
'unauthorized user'
,
:internal
it_behaves_like
'unauthorized user'
,
:private
end
end
context
'with in
valid license'
do
describe
'with
valid license'
do
before
do
before
do
stub_licensed_features
(
tracing:
fals
e
)
stub_licensed_features
(
tracing:
tru
e
)
sign_in
(
user
)
sign_in
(
user
)
end
end
shared_examples
'invalid license'
do
|
visibility_level
|
context
'with maintainer role'
do
let
(
:project
)
{
create
(
:project
,
visibility_level
)
}
it_behaves_like
'user with read access'
,
:public
it_behaves_like
'user with read access'
,
:internal
it_behaves_like
'user with read access'
,
:private
end
context
'without maintainer role'
do
it_behaves_like
'user without read access'
,
:public
it_behaves_like
'user without read access'
,
:internal
it_behaves_like
'user without read access'
,
:private
end
end
context
'with invalid license'
do
before
do
before
do
stub_licensed_features
(
tracing:
false
)
stub_licensed_features
(
tracing:
false
)
project
.
add_reporter
(
user
)
sign_in
(
user
)
sign_in
(
user
)
end
end
it
'returns 404'
do
it_behaves_like
'user without read access'
,
:public
get
:show
,
namespace_id:
project
.
namespace
,
project_id:
project
it_behaves_like
'user without read access'
,
:internal
it_behaves_like
'user without read access'
,
:private
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
it_behaves_like
'invalid license'
,
:public
it_behaves_like
'invalid license'
,
:internal
it_behaves_like
'invalid license'
,
:private
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment