diff options
author | John T Skarbek <jskarbek@gitlab.com> | 2019-08-14 21:11:04 +0300 |
---|---|---|
committer | John T Skarbek <jskarbek@gitlab.com> | 2019-08-14 21:11:04 +0300 |
commit | 2b2efbc609a85093238ee3bec94358670021d0e5 (patch) | |
tree | 671ff737363c10b61e4a970e1c108319cc07e37d /app | |
parent | affa81eb79ec0ca01a1a0c2733cc5cdffb3b9ff1 (diff) | |
parent | 7b52cff4896c8f681aea34fb273209400cf3e06e (diff) |
Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'
Diffstat (limited to 'app')
-rw-r--r-- | app/models/project_services/slash_commands_service.rb | 2 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 3 |
2 files changed, 5 insertions, 0 deletions
diff --git a/app/models/project_services/slash_commands_service.rb b/app/models/project_services/slash_commands_service.rb index 5f5cff97808..cb16ad75d14 100644 --- a/app/models/project_services/slash_commands_service.rb +++ b/app/models/project_services/slash_commands_service.rb @@ -35,6 +35,8 @@ class SlashCommandsService < Service chat_user = find_chat_user(params) if chat_user&.user + return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands) + Gitlab::SlashCommands::Command.new(project, chat_user, params).execute else url = authorize_chat_name_url(params) diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 134de1c9ace..311aab0dcd4 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy enable :access_git enable :receive_notifications enable :use_quick_actions + enable :use_slash_commands end rule { blocked | internal }.policy do @@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy prevent :access_api prevent :access_git prevent :receive_notifications + prevent :use_slash_commands end rule { required_terms_not_accepted }.policy do @@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy rule { access_locked }.policy do prevent :log_in + prevent :use_slash_commands end rule { ~(anonymous & restricted_public_level) }.policy do |