Merge branch '9504-fix-alert-notify' into 'master'

Skip user auth check in alerts_controller#notify Closes #9504 See merge request gitlab-org/gitlab-ee!9636

Merge branch '9504-fix-alert-notify' into 'master'
Skip user auth check in alerts_controller#notify Closes #9504 See merge request gitlab-org/gitlab-ee!9636
b7372314 · Rémy Coutable · 80855ba9 · 93d074db · b7372314 · b7372314
Commit b7372314 authored Feb 22, 2019 by Rémy Coutable
5 changed files
--- a/ee/app/controllers/projects/prometheus/alerts_controller.rb
+++ b/ee/app/controllers/projects/prometheus/alerts_controller.rb
@@ -7,6 +7,10 @@ module Projects

      protect_from_forgery except: [:notify]

+      skip_before_action :project, only: [:notify]
+
+      prepend_before_action :repository, :project_without_auth, only: [:notify]
+
      before_action :authorize_read_prometheus_alerts!, except: [:notify]
      before_action :authorize_admin_project!, except: [:notify]
      before_action :alert, only: [:update, :show, :destroy]
@@ -102,6 +106,15 @@ module Projects
      def extract_alert_manager_token(request)
        Doorkeeper::OAuth::Token.from_bearer_authorization(request)
      end
+
+      def project_without_auth
+        return @project if @project
+
+        namespace = params[:namespace_id]
+        id = params[:project_id]
+
+        @project = Project.find_by_full_path("#{namespace}/#{id}")
+      end
    end
  end
 end
--- a/ee/app/services/projects/prometheus/alerts/notify_service.rb
+++ b/ee/app/services/projects/prometheus/alerts/notify_service.rb
@@ -9,7 +9,7 @@ module Projects
          return false unless valid_alert_manager_token?(token)

          send_alert_email(project, firings) if firings.any?
-          persist_events(project, current_user, params)
+          persist_events(project, params)

          true
        end
@@ -88,8 +88,8 @@ module Projects
            .prometheus_alerts_fired(project, firings)
        end

-        def persist_events(project, current_user, params)
-          CreateEventsService.new(project, current_user, params).execute
+        def persist_events(project, params)
+          CreateEventsService.new(project, nil, params).execute
        end
      end
    end

--- a/ee/changelogs/unreleased/9504-fix-alert-notify.yml
+++ b/ee/changelogs/unreleased/9504-fix-alert-notify.yml
+---
+title: Fix alert notifications for non-public projects
+merge_request: 9636
+author:
+type: fixed
--- a/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
+++ b/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
@@ -88,10 +88,12 @@ describe Projects::Prometheus::AlertsController do
    let(:notify_service) { spy }

    before do
+      sign_out(user)
+
      expect(Projects::Prometheus::Alerts::NotifyService)
        .to receive(:new)
+        .with(project, nil, duck_type(:permitted?))
        .and_return(notify_service)
-        .with(project, user, duck_type(:permitted?))
    end

    it 'renders ok if notification succeeds' do

--- a/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
+++ b/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
@@ -3,10 +3,9 @@
 require 'spec_helper'

 describe Projects::Prometheus::Alerts::NotifyService do
-  set(:user) { create(:user) }
  set(:project) { create(:project) }

-  let(:service) { described_class.new(project, user, payload) }
+  let(:service) { described_class.new(project, nil, payload) }
  let(:token_input) { 'token' }
  let(:subject) { service.execute(token_input) }