Commit 883b511b authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-358-operations-page-visible-to-reporters' into 'master'

[master] Operations settings page visible to reporter users

See merge request gitlab/gitlab-ee!724
parents c270ade7 4cfa0b8a
...@@ -4,8 +4,7 @@ module Projects ...@@ -4,8 +4,7 @@ module Projects
module Settings module Settings
class OperationsController < Projects::ApplicationController class OperationsController < Projects::ApplicationController
before_action :check_license before_action :check_license
before_action :authorize_update_environment!, only: [:create, :update] before_action :authorize_update_environment!
before_action :authorize_read_environment!, only: [:show]
def show def show
@tracing_settings ||= ProjectTracingSetting.for_project(@project) @tracing_settings ||= ProjectTracingSetting.for_project(@project)
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
class Projects::TracingsController < Projects::ApplicationController class Projects::TracingsController < Projects::ApplicationController
before_action :check_license before_action :check_license
before_action :authorize_read_environment!, only: [:show] before_action :authorize_update_environment!
def show def show
end end
......
---
title: Prevent reporter roles from viewing the Jaeger tracing settings page
merge_request:
author:
type: security
...@@ -10,21 +10,27 @@ describe Projects::Settings::OperationsController do ...@@ -10,21 +10,27 @@ describe Projects::Settings::OperationsController do
end end
describe 'GET show' do describe 'GET show' do
shared_examples 'user without access to project' do |project_visibility| shared_examples 'user without read access' do |project_visibility|
let(:project) { create(:project, project_visibility) } let(:project) { create(:project, project_visibility) }
it 'returns 404' do %w[guest reporter developer].each do |role|
get :show, namespace_id: project.namespace, project_id: project before do
project.public_send("add_#{role}", user)
end
expect(response).to have_gitlab_http_status(:not_found) it 'returns 404' do
get :show, namespace_id: project.namespace, project_id: project
expect(response).to have_gitlab_http_status(:not_found)
end
end end
end end
shared_examples 'user with access to project' do |project_visibility| shared_examples 'user with read access' do |project_visibility|
let(:project) { create(:project, project_visibility) } let(:project) { create(:project, project_visibility) }
before do before do
project.add_reporter(user) project.add_maintainer(user)
end end
it 'renders ok' do it 'renders ok' do
...@@ -50,16 +56,16 @@ describe Projects::Settings::OperationsController do ...@@ -50,16 +56,16 @@ describe Projects::Settings::OperationsController do
stub_licensed_features(tracing: true) stub_licensed_features(tracing: true)
end end
context 'when logged in with correct permission' do context 'with maintainer role' do
it_behaves_like 'user with access to project', :public it_behaves_like 'user with read access', :public
it_behaves_like 'user with access to project', :private it_behaves_like 'user with read access', :private
it_behaves_like 'user with access to project', :internal it_behaves_like 'user with read access', :internal
end end
context 'when logged in without correct permission' do context 'without maintainer role' do
it_behaves_like 'user without access to project', :public it_behaves_like 'user without read access', :public
it_behaves_like 'user without access to project', :private it_behaves_like 'user without read access', :private
it_behaves_like 'user without access to project', :internal it_behaves_like 'user without read access', :internal
end end
context 'when user not logged in' do context 'when user not logged in' do
...@@ -67,7 +73,7 @@ describe Projects::Settings::OperationsController do ...@@ -67,7 +73,7 @@ describe Projects::Settings::OperationsController do
sign_out(user) sign_out(user)
end end
it_behaves_like 'user without access to project', :public it_behaves_like 'user without read access', :public
it_behaves_like 'user needs to login', :private it_behaves_like 'user needs to login', :private
it_behaves_like 'user needs to login', :internal it_behaves_like 'user needs to login', :internal
...@@ -79,9 +85,9 @@ describe Projects::Settings::OperationsController do ...@@ -79,9 +85,9 @@ describe Projects::Settings::OperationsController do
stub_licensed_features(tracing: false) stub_licensed_features(tracing: false)
end end
it_behaves_like 'user without access to project', :public it_behaves_like 'user without read access', :public
it_behaves_like 'user without access to project', :private it_behaves_like 'user without read access', :private
it_behaves_like 'user without access to project', :internal it_behaves_like 'user without read access', :internal
end end
end end
...@@ -99,10 +105,16 @@ describe Projects::Settings::OperationsController do ...@@ -99,10 +105,16 @@ describe Projects::Settings::OperationsController do
shared_examples 'user without write access' do |project_visibility| shared_examples 'user without write access' do |project_visibility|
let(:project) { create(:project, project_visibility) } let(:project) { create(:project, project_visibility) }
it 'does not update tracing external_url' do %w[guest reporter developer].each do |role|
update_project(project, external_url: 'https://gitlab.com') before do
project.public_send("add_#{role}", user)
end
it 'does not update tracing external_url' do
update_project(project, external_url: 'https://gitlab.com')
expect(project.tracing_setting).to be_nil expect(project.tracing_setting).to be_nil
end
end end
end end
...@@ -125,13 +137,13 @@ describe Projects::Settings::OperationsController do ...@@ -125,13 +137,13 @@ describe Projects::Settings::OperationsController do
end end
end end
context 'with authorized user' do context 'with maintainer role' do
it_behaves_like 'user with write access', :public, 'https://gitlab.com', 'https://gitlab.com' it_behaves_like 'user with write access', :public, 'https://gitlab.com', 'https://gitlab.com'
it_behaves_like 'user with write access', :private, 'https://gitlab.com', 'https://gitlab.com' it_behaves_like 'user with write access', :private, 'https://gitlab.com', 'https://gitlab.com'
it_behaves_like 'user with write access', :internal, 'https://gitlab.com', 'https://gitlab.com' it_behaves_like 'user with write access', :internal, 'https://gitlab.com', 'https://gitlab.com'
end end
context 'with unauthorized user' do context 'with non maintainer roles' do
it_behaves_like 'user without write access', :public it_behaves_like 'user without write access', :public
it_behaves_like 'user without write access', :private it_behaves_like 'user without write access', :private
it_behaves_like 'user without write access', :internal it_behaves_like 'user without write access', :internal
......
...@@ -6,36 +6,27 @@ describe Projects::TracingsController do ...@@ -6,36 +6,27 @@ describe Projects::TracingsController do
set(:user) { create(:user) } set(:user) { create(:user) }
describe 'GET show' do describe 'GET show' do
describe 'with valid license' do shared_examples 'user with read access' do |visibility_level|
let(:project) { create(:project, visibility_level) }
before do before do
stub_licensed_features(tracing: true) project.add_maintainer(user)
end end
shared_examples 'authorized user' do |visibility_level| it 'renders OK' do
let(:project) { create(:project, visibility_level) } get :show, namespace_id: project.namespace, project_id: project
before do
project.add_reporter(user)
sign_in(user)
end
it 'renders OK' do
get :show, namespace_id: project.namespace, project_id: project
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(response).to render_template(:show) expect(response).to render_template(:show)
end
end end
end
it_behaves_like 'authorized user', :public shared_examples 'user without read access' do |visibility_level|
it_behaves_like 'authorized user', :internal let(:project) { create(:project, visibility_level) }
it_behaves_like 'authorized user', :private
shared_examples 'unauthorized user' do |visibility_level|
let(:project) { create(:project, visibility_level) }
%w[guest reporter developer].each do |role|
before do before do
sign_in(user) project.public_send("add_#{role}", user)
end end
it 'returns 404' do it 'returns 404' do
...@@ -44,37 +35,36 @@ describe Projects::TracingsController do ...@@ -44,37 +35,36 @@ describe Projects::TracingsController do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
end end
it_behaves_like 'unauthorized user', :public
it_behaves_like 'unauthorized user', :internal
it_behaves_like 'unauthorized user', :private
end end
context 'with invalid license' do describe 'with valid license' do
before do before do
stub_licensed_features(tracing: false) stub_licensed_features(tracing: true)
sign_in(user) sign_in(user)
end end
shared_examples 'invalid license' do |visibility_level| context 'with maintainer role' do
let(:project) { create(:project, visibility_level) } it_behaves_like 'user with read access', :public
it_behaves_like 'user with read access', :internal
before do it_behaves_like 'user with read access', :private
stub_licensed_features(tracing: false) end
project.add_reporter(user)
sign_in(user)
end
it 'returns 404' do context 'without maintainer role' do
get :show, namespace_id: project.namespace, project_id: project it_behaves_like 'user without read access', :public
it_behaves_like 'user without read access', :internal
it_behaves_like 'user without read access', :private
end
end
expect(response).to have_gitlab_http_status(:not_found) context 'with invalid license' do
end before do
stub_licensed_features(tracing: false)
sign_in(user)
end end
it_behaves_like 'invalid license', :public it_behaves_like 'user without read access', :public
it_behaves_like 'invalid license', :internal it_behaves_like 'user without read access', :internal
it_behaves_like 'invalid license', :private it_behaves_like 'user without read access', :private
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment