Add permission check to the main publish service

We want to make sure to check permission in PublishIncidentService as well.

Add permission check to the main publish service
We want to make sure to check permission in PublishIncidentService as well.
a001ed04 · Peter Leitzen · b7cf43b2 · a001ed04 · a001ed04 · a001ed04
Commit a001ed04 authored Mar 13, 2020 by Peter Leitzen
6 changed files
--- a/ee/app/services/status_page/publish_incident_service.rb
+++ b/ee/app/services/status_page/publish_incident_service.rb
 # frozen_string_literal: true
 module StatusPage
-  # Delegate work to more specific publishing services.
+  # Publishes content to status page by delegating to specific
+  # publishing services.
  #
-  # Use this service for publishing an incident to CDN which calls:
+  # Use this service for publishing an incident to CDN synchronously.
+  # To publish asynchronously use +StatusPage::TriggerPublishService+ instead.
+  #
+  # This services calls:
  # * StatusPage::PublishDetailsService
  # * StatusPage::PublishListService
  class PublishIncidentService
    include Gitlab::Utils::StrongMemoize
-    def initialize(project:, issue_id:)
+    def initialize(user:, project:, issue_id:)
+      @user = user
      @project = project
      @issue_id = issue_id
    end
    def execute
+      return error_permission_denied unless can_publish?
      return error_issue_not_found unless issue
      response = publish_details
@@ -25,7 +31,7 @@ module StatusPage
    private
-    attr_reader :project, :issue_id
+    attr_reader :user, :project, :issue_id
    def publish_details
      PublishDetailsService.new(project: project).execute(issue, user_notes)
@@ -55,8 +61,20 @@ module StatusPage
      end
    end
+    def can_publish?
+      user.can?(:publish_status_page, project)
+    end
+    def error_permission_denied
+      error('No publish permission')
+    end
    def error_issue_not_found
-      ServiceResponse.error(message: 'Issue not found')
+      error('Issue not found')
+    end
+    def error(message)
+      ServiceResponse.error(message: message)
    end
  end
 end
--- a/ee/app/services/status_page/trigger_publish_service.rb
+++ b/ee/app/services/status_page/trigger_publish_service.rb
@@ -15,7 +15,8 @@ module StatusPage
      return unless can_publish?
      return unless status_page_enabled?
-      StatusPage::PublishIncidentWorker.perform_async(project.id, issue_id)
+      StatusPage::PublishIncidentWorker
+        .perform_async(user.id, project.id, issue_id)
    end
    private

--- a/ee/app/workers/status_page/publish_incident_worker.rb
+++ b/ee/app/workers/status_page/publish_incident_worker.rb
@@ -11,22 +11,23 @@ module StatusPage
    worker_has_external_dependencies!
    idempotent!
-    def perform(project_id, issue_id)
+    def perform(user_id, project_id, issue_id)
+      @user_id = user_id
      @project_id = project_id
      @issue_id = issue_id
-      @project = Project.find_by_id(project_id)
-      return if project.nil?
+      return unless user && project
      publish
    end
    private
-    attr_reader :project_id, :issue_id, :project
+    attr_reader :user_id, :project_id, :issue_id
    def publish
      result = PublishIncidentService
-        .new(project: project, issue_id: issue_id)
+        .new(user: user, project: project, issue_id: issue_id)
        .execute
      log_error(result.message) if result.error?
@@ -35,6 +36,14 @@ module StatusPage
      raise
    end
+    def user
+      strong_memoize(:user) { User.find_by_id(user_id) }
+    end
+    def project
+      strong_memoize(:project) { Project.find_by_id(project_id) }
+    end
    def log_error(message)
      preamble = "Failed to publish incident for project_id=#{project_id}, issue_id=#{issue_id}"
      logger.error("#{preamble}: #{message}")

--- a/ee/spec/services/status_page/publish_incident_service_spec.rb
+++ b/ee/spec/services/status_page/publish_incident_service_spec.rb
@@ -3,17 +3,24 @@
 require 'spec_helper'
 describe StatusPage::PublishIncidentService do
+  let_it_be(:user) { create(:user) }
  let_it_be(:project, refind: true) { create(:project) }
  let_it_be(:issue) { create(:issue, project: project) }
  let_it_be(:settings) { create(:status_page_setting, :enabled, project: project) }
+  let(:user_can_publish) { true }
-  let(:service) { described_class.new(project: project, issue_id: issue.id) }
+  let(:service) do
+    described_class.new(user: user, project: project, issue_id: issue.id)
+  end
  subject(:result) { service.execute }
  describe '#execute' do
    before do
      stub_licensed_features(status_page: true)
+      allow(user).to receive(:can?).with(:publish_status_page, project)
+        .and_return(user_can_publish)
    end
    context 'when publishing succeeds' do
@@ -50,6 +57,15 @@ describe StatusPage::PublishIncidentService do
        expect(result.message).to eq('Issue not found')
      end
    end
+    context 'when user cannot publish' do
+      let(:user_can_publish) { false }
+      it 'returns error missing publish permission' do
+        expect(result).to be_error
+        expect(result.message).to eq('No publish permission')
+      end
+    end
  end
  private

--- a/ee/spec/services/status_page/trigger_publish_service_spec.rb
+++ b/ee/spec/services/status_page/trigger_publish_service_spec.rb
@@ -29,11 +29,13 @@ describe StatusPage::TriggerPublishService do
      stub_feature_flags(status_page: true)
      stub_licensed_features(status_page: true)
-      allow(worker).to receive(:perform_async).with(project.id, issue.id)
+      allow(worker).to receive(:perform_async)
+        .with(user.id, project.id, issue.id)
    end
    it 'schedules a job' do
-      expect(worker).to receive(:perform_async).with(project.id, issue.id)
+      expect(worker).to receive(:perform_async)
+        .with(user.id, project.id, issue.id)
      subject
    end

--- a/ee/spec/workers/status_page/publish_incident_worker_spec.rb
+++ b/ee/spec/workers/status_page/publish_incident_worker_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 describe StatusPage::PublishIncidentWorker do
  include ExclusiveLeaseHelpers
+  let_it_be(:user) { create(:user) }
  let_it_be(:project) { create(:project) }
  let_it_be(:issue) { create(:issue, project: project) }
@@ -15,17 +16,17 @@ describe StatusPage::PublishIncidentWorker do
  before do
    allow(StatusPage::PublishIncidentService)
-      .to receive(:new).with(project: project, issue_id: issue.id)
+      .to receive(:new).with(user: user, project: project, issue_id: issue.id)
      .and_return(service)
    allow(service).to receive(:execute)
      .and_return(service_result)
  end
  describe '#perform' do
-    subject { worker.perform(project.id, issue.id) }
+    subject { worker.perform(user.id, project.id, issue.id) }
    it_behaves_like 'an idempotent worker' do
-      let(:job_args) { [project.id, issue.id] }
+      let(:job_args) { [user.id, project.id, issue.id] }
      context 'when service succeeds' do
        it 'execute the service' do