Commit 9c50cf03 authored by Sarah Yasonik's avatar Sarah Yasonik Committed by Rémy Coutable

Add permission check to dashboards

Adds permission checks to the metrics_dashboard endpoint. Users
with role of Reporter or above should have access to view the
metrics for a given project.
parent e7193f23
---
title: Add permission check to metrics dashboards endpoint
merge_request: 30017
author:
type: added
...@@ -10,6 +10,8 @@ module Gitlab ...@@ -10,6 +10,8 @@ module Gitlab
NOT_FOUND_ERROR = Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError NOT_FOUND_ERROR = Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError
def get_dashboard def get_dashboard
return error('Insufficient permissions.', :unauthorized) unless allowed?
success(dashboard: process_dashboard) success(dashboard: process_dashboard)
rescue NOT_FOUND_ERROR rescue NOT_FOUND_ERROR
error("#{dashboard_path} could not be found.", :not_found) error("#{dashboard_path} could not be found.", :not_found)
...@@ -30,6 +32,12 @@ module Gitlab ...@@ -30,6 +32,12 @@ module Gitlab
private private
# Determines whether users should be able to view
# dashboards at all.
def allowed?
Ability.allowed?(current_user, :read_environment, project)
end
# Returns a new dashboard Hash, supplemented with DB info # Returns a new dashboard Hash, supplemented with DB info
def process_dashboard def process_dashboard
Gitlab::Metrics::Dashboard::Processor Gitlab::Metrics::Dashboard::Processor
......
...@@ -6,13 +6,19 @@ describe Gitlab::Metrics::Dashboard::DynamicDashboardService, :use_clean_rails_m ...@@ -6,13 +6,19 @@ describe Gitlab::Metrics::Dashboard::DynamicDashboardService, :use_clean_rails_m
include MetricsDashboardHelpers include MetricsDashboardHelpers
set(:project) { build(:project) } set(:project) { build(:project) }
set(:user) { create(:user) }
set(:environment) { create(:environment, project: project) } set(:environment) { create(:environment, project: project) }
before do
project.add_maintainer(user)
end
describe '#get_dashboard' do describe '#get_dashboard' do
let(:service_params) { [project, nil, { environment: environment, dashboard_path: nil }] } let(:service_params) { [project, user, { environment: environment, dashboard_path: nil }] }
let(:service_call) { described_class.new(*service_params).get_dashboard } let(:service_call) { described_class.new(*service_params).get_dashboard }
it_behaves_like 'valid embedded dashboard service response' it_behaves_like 'valid embedded dashboard service response'
it_behaves_like 'raises error for users with insufficient permissions'
it 'caches the unprocessed dashboard for subsequent calls' do it 'caches the unprocessed dashboard for subsequent calls' do
expect(YAML).to receive(:safe_load).once.and_call_original expect(YAML).to receive(:safe_load).once.and_call_original
......
...@@ -6,12 +6,17 @@ describe Gitlab::Metrics::Dashboard::Finder, :use_clean_rails_memory_store_cachi ...@@ -6,12 +6,17 @@ describe Gitlab::Metrics::Dashboard::Finder, :use_clean_rails_memory_store_cachi
include MetricsDashboardHelpers include MetricsDashboardHelpers
set(:project) { build(:project) } set(:project) { build(:project) }
set(:user) { create(:user) }
set(:environment) { create(:environment, project: project) } set(:environment) { create(:environment, project: project) }
let(:system_dashboard_path) { Gitlab::Metrics::Dashboard::SystemDashboardService::SYSTEM_DASHBOARD_PATH} let(:system_dashboard_path) { Gitlab::Metrics::Dashboard::SystemDashboardService::SYSTEM_DASHBOARD_PATH}
before do
project.add_maintainer(user)
end
describe '.find' do describe '.find' do
let(:dashboard_path) { '.gitlab/dashboards/test.yml' } let(:dashboard_path) { '.gitlab/dashboards/test.yml' }
let(:service_call) { described_class.find(project, nil, environment, dashboard_path: dashboard_path) } let(:service_call) { described_class.find(project, user, environment, dashboard_path: dashboard_path) }
it_behaves_like 'misconfigured dashboard service response', :not_found it_behaves_like 'misconfigured dashboard service response', :not_found
...@@ -41,13 +46,13 @@ describe Gitlab::Metrics::Dashboard::Finder, :use_clean_rails_memory_store_cachi ...@@ -41,13 +46,13 @@ describe Gitlab::Metrics::Dashboard::Finder, :use_clean_rails_memory_store_cachi
end end
context 'when no dashboard is specified' do context 'when no dashboard is specified' do
let(:service_call) { described_class.find(project, nil, environment) } let(:service_call) { described_class.find(project, user, environment) }
it_behaves_like 'valid dashboard service response' it_behaves_like 'valid dashboard service response'
end end
context 'when the dashboard is expected to be embedded' do context 'when the dashboard is expected to be embedded' do
let(:service_call) { described_class.find(project, nil, environment, dashboard_path: nil, embedded: true) } let(:service_call) { described_class.find(project, user, environment, dashboard_path: nil, embedded: true) }
it_behaves_like 'valid embedded dashboard service response' it_behaves_like 'valid embedded dashboard service response'
end end
......
...@@ -5,8 +5,8 @@ require 'rails_helper' ...@@ -5,8 +5,8 @@ require 'rails_helper'
describe Gitlab::Metrics::Dashboard::ProjectDashboardService, :use_clean_rails_memory_store_caching do describe Gitlab::Metrics::Dashboard::ProjectDashboardService, :use_clean_rails_memory_store_caching do
include MetricsDashboardHelpers include MetricsDashboardHelpers
set(:user) { build(:user) } set(:user) { create(:user) }
set(:project) { build(:project) } set(:project) { create(:project) }
set(:environment) { create(:environment, project: project) } set(:environment) { create(:environment, project: project) }
before do before do
...@@ -22,6 +22,8 @@ describe Gitlab::Metrics::Dashboard::ProjectDashboardService, :use_clean_rails_m ...@@ -22,6 +22,8 @@ describe Gitlab::Metrics::Dashboard::ProjectDashboardService, :use_clean_rails_m
it_behaves_like 'misconfigured dashboard service response', :not_found it_behaves_like 'misconfigured dashboard service response', :not_found
end end
it_behaves_like 'raises error for users with insufficient permissions'
context 'when the dashboard exists' do context 'when the dashboard exists' do
let(:project) { project_with_dashboard(dashboard_path) } let(:project) { project_with_dashboard(dashboard_path) }
......
...@@ -5,15 +5,21 @@ require 'spec_helper' ...@@ -5,15 +5,21 @@ require 'spec_helper'
describe Gitlab::Metrics::Dashboard::SystemDashboardService, :use_clean_rails_memory_store_caching do describe Gitlab::Metrics::Dashboard::SystemDashboardService, :use_clean_rails_memory_store_caching do
include MetricsDashboardHelpers include MetricsDashboardHelpers
set(:project) { build(:project) } set(:user) { create(:user) }
set(:project) { create(:project) }
set(:environment) { create(:environment, project: project) } set(:environment) { create(:environment, project: project) }
before do
project.add_maintainer(user)
end
describe 'get_dashboard' do describe 'get_dashboard' do
let(:dashboard_path) { described_class::SYSTEM_DASHBOARD_PATH } let(:dashboard_path) { described_class::SYSTEM_DASHBOARD_PATH }
let(:service_params) { [project, nil, { environment: environment, dashboard_path: dashboard_path }] } let(:service_params) { [project, user, { environment: environment, dashboard_path: dashboard_path }] }
let(:service_call) { described_class.new(*service_params).get_dashboard } let(:service_call) { described_class.new(*service_params).get_dashboard }
it_behaves_like 'valid dashboard service response' it_behaves_like 'valid dashboard service response'
it_behaves_like 'raises error for users with insufficient permissions'
it 'caches the unprocessed dashboard for subsequent calls' do it 'caches the unprocessed dashboard for subsequent calls' do
expect(YAML).to receive(:safe_load).once.and_call_original expect(YAML).to receive(:safe_load).once.and_call_original
......
...@@ -50,4 +50,12 @@ module MetricsDashboardHelpers ...@@ -50,4 +50,12 @@ module MetricsDashboardHelpers
it_behaves_like 'valid dashboard service response for schema' it_behaves_like 'valid dashboard service response for schema'
end end
shared_examples_for 'raises error for users with insufficient permissions' do
context 'when the user does not have sufficient access' do
let(:user) { build(:user) }
it_behaves_like 'misconfigured dashboard service response', :unauthorized
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment