Merge branch 'security-pipeline-trigger-tokens-exposure-11-7' into 'security-11-7'

[11.7] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2855 (cherry picked from commit 17ce10bc58a06e202d2194dc64ec132a1f6305bc) 74b4bb38 Do not expose trigger token when user should not see it
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 15:54:48 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 15:54:51 +0300
commit: a9dbe1080bcbc5019e7d30f968225e8e973f482e (patch)
tree: 1a3b3c3d0de9b547573b770bd4d03e7606451b5b /app
parent: 6a5a90d3c71f6b8f3f012f42edf85b73a4a28e50 (diff)
5 files changed, 27 insertions, 6 deletions
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 75e590f3f33..f2f63e986bb 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -99,7 +99,9 @@ module Projects
 
       def define_triggers_variables
         @triggers = @project.triggers
+          .present(current_user: current_user)
         @trigger = ::Ci::Trigger.new
+          .present(current_user: current_user)
       end
 
       def define_badges_variables
diff --git a/app/controllers/projects/triggers_controller.rb b/app/controllers/projects/triggers_controller.rb
index f5fdfb8accc..c7b4ebb2b24 100644
--- a/app/controllers/projects/triggers_controller.rb
+++ b/app/controllers/projects/triggers_controller.rb
@@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController
   end
 
   def trigger
-    @trigger ||= project.triggers.find(params[:id]) || render_404
+    @trigger ||= project.triggers.find(params[:id])
+      .present(current_user: current_user)
   end
 
   def trigger_params
-    params.require(:trigger).permit(
-      :description
-    )
+    params.require(:trigger).permit(:description)
   end
 end
diff --git a/app/models/ci/trigger.rb b/app/models/ci/trigger.rb
index 55db42162ca..637148c4ce4 100644
--- a/app/models/ci/trigger.rb
+++ b/app/models/ci/trigger.rb
@@ -4,6 +4,7 @@ module Ci
   class Trigger < ActiveRecord::Base
     extend Gitlab::Ci::Model
     include IgnorableColumn
+    include Presentable
 
     ignore_column :deleted_at
 
@@ -29,7 +30,7 @@ module Ci
     end
 
     def short_token
-      token[0...4]
+      token[0...4] if token.present?
     end
 
     def legacy?
diff --git a/app/presenters/ci/trigger_presenter.rb b/app/presenters/ci/trigger_presenter.rb
new file mode 100644
index 00000000000..605c8f328a4
--- /dev/null
+++ b/app/presenters/ci/trigger_presenter.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Ci
+  class TriggerPresenter < Gitlab::View::Presenter::Delegated
+    presents :trigger
+
+    def has_token_exposed?
+      can?(current_user, :admin_trigger, trigger)
+    end
+
+    def token
+      if has_token_exposed?
+        trigger.token
+      else
+        trigger.short_token
+      end
+    end
+  end
+end
diff --git a/app/views/projects/triggers/_trigger.html.haml b/app/views/projects/triggers/_trigger.html.haml
index 7e4618e1a88..6f6f1e5e0c5 100644
--- a/app/views/projects/triggers/_trigger.html.haml
+++ b/app/views/projects/triggers/_trigger.html.haml
@@ -1,6 +1,6 @@
 %tr
   %td
-    - if can?(current_user, :admin_trigger, trigger)
+    - if trigger.has_token_exposed?
       %span= trigger.token
       = clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard")
     - else
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 15:54:48 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 15:54:51 +0300
commit	a9dbe1080bcbc5019e7d30f968225e8e973f482e (patch)
tree	1a3b3c3d0de9b547573b770bd4d03e7606451b5b /app
parent	6a5a90d3c71f6b8f3f012f42edf85b73a4a28e50 (diff)