diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:54:48 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:54:51 +0300 |
commit | a9dbe1080bcbc5019e7d30f968225e8e973f482e (patch) | |
tree | 1a3b3c3d0de9b547573b770bd4d03e7606451b5b /app | |
parent | 6a5a90d3c71f6b8f3f012f42edf85b73a4a28e50 (diff) |
Merge branch 'security-pipeline-trigger-tokens-exposure-11-7' into 'security-11-7'
[11.7] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2855
(cherry picked from commit 17ce10bc58a06e202d2194dc64ec132a1f6305bc)
74b4bb38 Do not expose trigger token when user should not see it
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/settings/ci_cd_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/triggers_controller.rb | 7 | ||||
-rw-r--r-- | app/models/ci/trigger.rb | 3 | ||||
-rw-r--r-- | app/presenters/ci/trigger_presenter.rb | 19 | ||||
-rw-r--r-- | app/views/projects/triggers/_trigger.html.haml | 2 |
5 files changed, 27 insertions, 6 deletions
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb index 75e590f3f33..f2f63e986bb 100644 --- a/app/controllers/projects/settings/ci_cd_controller.rb +++ b/app/controllers/projects/settings/ci_cd_controller.rb @@ -99,7 +99,9 @@ module Projects def define_triggers_variables @triggers = @project.triggers + .present(current_user: current_user) @trigger = ::Ci::Trigger.new + .present(current_user: current_user) end def define_badges_variables diff --git a/app/controllers/projects/triggers_controller.rb b/app/controllers/projects/triggers_controller.rb index f5fdfb8accc..c7b4ebb2b24 100644 --- a/app/controllers/projects/triggers_controller.rb +++ b/app/controllers/projects/triggers_controller.rb @@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController end def trigger - @trigger ||= project.triggers.find(params[:id]) || render_404 + @trigger ||= project.triggers.find(params[:id]) + .present(current_user: current_user) end def trigger_params - params.require(:trigger).permit( - :description - ) + params.require(:trigger).permit(:description) end end diff --git a/app/models/ci/trigger.rb b/app/models/ci/trigger.rb index 55db42162ca..637148c4ce4 100644 --- a/app/models/ci/trigger.rb +++ b/app/models/ci/trigger.rb @@ -4,6 +4,7 @@ module Ci class Trigger < ActiveRecord::Base extend Gitlab::Ci::Model include IgnorableColumn + include Presentable ignore_column :deleted_at @@ -29,7 +30,7 @@ module Ci end def short_token - token[0...4] + token[0...4] if token.present? end def legacy? diff --git a/app/presenters/ci/trigger_presenter.rb b/app/presenters/ci/trigger_presenter.rb new file mode 100644 index 00000000000..605c8f328a4 --- /dev/null +++ b/app/presenters/ci/trigger_presenter.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module Ci + class TriggerPresenter < Gitlab::View::Presenter::Delegated + presents :trigger + + def has_token_exposed? + can?(current_user, :admin_trigger, trigger) + end + + def token + if has_token_exposed? + trigger.token + else + trigger.short_token + end + end + end +end diff --git a/app/views/projects/triggers/_trigger.html.haml b/app/views/projects/triggers/_trigger.html.haml index 7e4618e1a88..6f6f1e5e0c5 100644 --- a/app/views/projects/triggers/_trigger.html.haml +++ b/app/views/projects/triggers/_trigger.html.haml @@ -1,6 +1,6 @@ %tr %td - - if can?(current_user, :admin_trigger, trigger) + - if trigger.has_token_exposed? %span= trigger.token = clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard") - else |