Allow only group owners to manage group variables

Before this change we were allowing maintainers to manage group variables even though our permissions page list only owners.

Allow only group owners to manage group variables
Before this change we were allowing maintainers to manage group variables even though our permissions page list only owners.
5b6b8e5d · Marius Bobin · 81b2ae7f · 5b6b8e5d · 5b6b8e5d · 5b6b8e5d
Commit 5b6b8e5d authored Feb 18, 2021 by Marius Bobin
5 changed files
--- a/app/controllers/groups/variables_controller.rb
+++ b/app/controllers/groups/variables_controller.rb
@@ -2,7 +2,7 @@
 module Groups
  class VariablesController < Groups::ApplicationController
-    before_action :authorize_admin_build!
+    before_action :authorize_admin_group!
    skip_cross_project_access_check :show, :update

--- a/changelogs/unreleased/security-ci-api-variables-permissions.yml
+++ b/changelogs/unreleased/security-ci-api-variables-permissions.yml
+---
+title: Allow only owners to manage group variables
+merge_request:
+author:
+type: security
--- a/lib/api/group_variables.rb
+++ b/lib/api/group_variables.rb
@@ -5,8 +5,7 @@ module API
    include PaginationParams
    before { authenticate! }
-    before { authorize! :admin_build, user_group }
+    before { authorize! :admin_group, user_group }
    feature_category :continuous_integration
    params do

--- a/spec/controllers/groups/variables_controller_spec.rb
+++ b/spec/controllers/groups/variables_controller_spec.rb
@@ -5,26 +5,35 @@ require 'spec_helper'
 RSpec.describe Groups::VariablesController do
  include ExternalAuthorizationServiceHelpers
-  let(:group) { create(:group) }
+  let_it_be(:group) { create(:group) }
-  let(:user) { create(:user) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:variable) { create(:ci_group_variable, group: group) }
+  let(:access_level) { :owner }
  before do
    sign_in(user)
-    group.add_maintainer(user)
+    group.add_user(user, access_level)
  end
  describe 'GET #show' do
-    let!(:variable) { create(:ci_group_variable, group: group) }
    subject do
      get :show, params: { group_id: group }, format: :json
    end
    include_examples 'GET #show lists all variables'
+    context 'when the user is a maintainer' do
+      let(:access_level) { :maintainer }
+      it 'returns not found response' do
+        subject
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
  end
  describe 'PATCH #update' do
-    let!(:variable) { create(:ci_group_variable, group: group) }
    let(:owner) { group }
    subject do
@@ -37,6 +46,19 @@ RSpec.describe Groups::VariablesController do
    end
    include_examples 'PATCH #update updates variables'
+    context 'when the user is a maintainer' do
+      let(:access_level) { :maintainer }
+      let(:variables_attributes) do
+        [{ id: variable.id, key: 'new_key' }]
+      end
+      it 'returns not found response' do
+        subject
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
  end
  context 'with external authorization enabled' do
@@ -45,8 +67,6 @@ RSpec.describe Groups::VariablesController do
    end
    describe 'GET #show' do
-      let!(:variable) { create(:ci_group_variable, group: group) }
      it 'is successful' do
        get :show, params: { group_id: group }, format: :json
@@ -55,9 +75,6 @@ RSpec.describe Groups::VariablesController do
    end
    describe 'PATCH #update' do
-      let!(:variable) { create(:ci_group_variable, group: group) }
-      let(:owner) { group }
      it 'is successful' do
        patch :update,
              params: {

--- a/spec/requests/api/group_variables_spec.rb
+++ b/spec/requests/api/group_variables_spec.rb
@@ -3,16 +3,19 @@
 require 'spec_helper'
 RSpec.describe API::GroupVariables do
-  let(:group) { create(:group) }
+  let_it_be(:group) { create(:group) }
-  let(:user) { create(:user) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:variable) { create(:ci_group_variable, group: group) }
-  describe 'GET /groups/:id/variables' do
+  let(:access_level) {}
-    let!(:variable) { create(:ci_group_variable, group: group) }
+  before do
+    group.add_user(user, access_level) if access_level
+  end
+  describe 'GET /groups/:id/variables' do
    context 'authorized user with proper permissions' do
-      before do
+      let(:access_level) { :owner }
-        group.add_maintainer(user)
-      end
      it 'returns group variables' do
        get api("/groups/#{group.id}/variables", user)
@@ -23,6 +26,8 @@ RSpec.describe API::GroupVariables do
    end
    context 'authorized user with invalid permissions' do
+      let(:access_level) { :maintainer }
      it 'does not return group variables' do
        get api("/groups/#{group.id}/variables", user)
@@ -40,12 +45,8 @@ RSpec.describe API::GroupVariables do
  end
  describe 'GET /groups/:id/variables/:key' do
-    let!(:variable) { create(:ci_group_variable, group: group) }
    context 'authorized user with proper permissions' do
-      before do
+      let(:access_level) { :owner }
-        group.add_maintainer(user)
-      end
      it 'returns group variable details' do
        get api("/groups/#{group.id}/variables/#{variable.key}", user)
@@ -64,6 +65,8 @@ RSpec.describe API::GroupVariables do
    end
    context 'authorized user with invalid permissions' do
+      let(:access_level) { :maintainer }
      it 'does not return group variable details' do
        get api("/groups/#{group.id}/variables/#{variable.key}", user)
@@ -82,11 +85,7 @@ RSpec.describe API::GroupVariables do
  describe 'POST /groups/:id/variables' do
    context 'authorized user with proper permissions' do
-      let!(:variable) { create(:ci_group_variable, group: group) }
+      let(:access_level) { :owner }
-      before do
-        group.add_maintainer(user)
-      end
      it 'creates variable' do
        expect do
@@ -124,6 +123,8 @@ RSpec.describe API::GroupVariables do
    end
    context 'authorized user with invalid permissions' do
+      let(:access_level) { :maintainer }
      it 'does not create variable' do
        post api("/groups/#{group.id}/variables", user)
@@ -141,12 +142,8 @@ RSpec.describe API::GroupVariables do
  end
  describe 'PUT /groups/:id/variables/:key' do
-    let!(:variable) { create(:ci_group_variable, group: group) }
    context 'authorized user with proper permissions' do
-      before do
+      let(:access_level) { :owner }
-        group.add_maintainer(user)
-      end
      it 'updates variable data' do
        initial_variable = group.variables.reload.first
@@ -180,6 +177,8 @@ RSpec.describe API::GroupVariables do
    end
    context 'authorized user with invalid permissions' do
+      let(:access_level) { :maintainer }
      it 'does not update variable' do
        put api("/groups/#{group.id}/variables/#{variable.key}", user)
@@ -197,12 +196,8 @@ RSpec.describe API::GroupVariables do
  end
  describe 'DELETE /groups/:id/variables/:key' do
-    let!(:variable) { create(:ci_group_variable, group: group) }
    context 'authorized user with proper permissions' do
-      before do
+      let(:access_level) { :owner }
-        group.add_maintainer(user)
-      end
      it 'deletes variable' do
        expect do
@@ -224,6 +219,8 @@ RSpec.describe API::GroupVariables do
    end
    context 'authorized user with invalid permissions' do
+      let(:access_level) { :maintainer }
      it 'does not delete variable' do
        delete api("/groups/#{group.id}/variables/#{variable.key}", user)