diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:13:19 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:13:26 +0300 |
commit | c49ef67dc34ca5770ca16ce3df17786f82cfbcb2 (patch) | |
tree | a28b8cfc9e2e0425de24e654886e1ab3a28407fd | |
parent | f36b8d30e5026d0d4c76ca8103e53f241cf71d7c (diff) |
Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee
-rw-r--r-- | app/controllers/import/github_controller.rb | 13 | ||||
-rw-r--r-- | spec/controllers/import/github_controller_spec.rb | 32 |
2 files changed, 42 insertions, 3 deletions
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb index 41477519ba5..12210afd44a 100644 --- a/app/controllers/import/github_controller.rb +++ b/app/controllers/import/github_controller.rb @@ -7,6 +7,8 @@ class Import::GithubController < Import::BaseController include ActionView::Helpers::SanitizeHelper include Import::GithubOauth + before_action :authorize_owner_access!, except: [:new, :callback, :personal_access_token, :status, :details, :create, + :realtime_changes, :cancel_all, :counts] before_action :verify_import_enabled before_action :provider_auth, only: [:status, :realtime_changes, :create] before_action :expire_etag_cache, only: [:status, :create] @@ -92,8 +94,6 @@ class Import::GithubController < Import::BaseController end def failures - project = Project.imported_from(provider_name).find(params[:project_id]) - unless project.import_finished? return render status: :bad_request, json: { message: _('The import is not complete.') @@ -107,7 +107,6 @@ class Import::GithubController < Import::BaseController end def cancel - project = Project.imported_from(provider_name).find(params[:project_id]) result = Import::Github::CancelProjectImportService.new(project, current_user).execute if result[:status] == :success @@ -168,6 +167,14 @@ class Import::GithubController < Import::BaseController private + def project + @project ||= Project.imported_from(provider_name).find(params[:project_id]) + end + + def authorize_owner_access! + return render_404 unless current_user.can?(:owner_access, project) + end + def import_params params.permit(permitted_import_params) end diff --git a/spec/controllers/import/github_controller_spec.rb b/spec/controllers/import/github_controller_spec.rb index fdc0ddda9f4..bf56043a496 100644 --- a/spec/controllers/import/github_controller_spec.rb +++ b/spec/controllers/import/github_controller_spec.rb @@ -395,6 +395,12 @@ RSpec.describe Import::GithubController, feature_category: :importers do ) end + let(:user) { project.owner } + + before do + sign_in(user) + end + context 'when import is not finished' do it 'return bad_request' do get :failures, params: { project_id: project.id } @@ -434,6 +440,16 @@ RSpec.describe Import::GithubController, feature_category: :importers do expect(json_response.first['title']).to eq(issue_title) end end + + context 'when signed user is not the owner' do + let(:user) { create(:user) } + + it 'renders 404' do + get :failures, params: { project_id: project.id } + + expect(response).to have_gitlab_http_status(:not_found) + end + end end describe "POST cancel" do @@ -444,6 +460,12 @@ RSpec.describe Import::GithubController, feature_category: :importers do ) end + let(:user) { project.owner } + + before do + sign_in(user) + end + context 'when project import was canceled' do before do allow(Import::Github::CancelProjectImportService) @@ -476,6 +498,16 @@ RSpec.describe Import::GithubController, feature_category: :importers do expect(json_response['errors']).to eq('The import cannot be canceled because it is finished') end end + + context 'when signed user is not the owner' do + let(:user) { create(:user) } + + it 'renders 404' do + post :cancel, params: { project_id: project.id } + + expect(response).to have_gitlab_http_status(:not_found) + end + end end describe 'POST cancel_all' do |