diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2021-04-28 10:28:43 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2021-04-28 10:28:43 +0300 |
commit | bbdea2d94d2d87b366fe8e023dcc76c78cfe2375 (patch) | |
tree | b9a1c84456ffdd0a9671d5eba849866b2f5ca09a /app | |
parent | 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff) | |
parent | d8d57a90208c62b29e5218f97525404859232a55 (diff) |
Merge remote-tracking branch 'dev/13-11-stable' into 13-11-stable
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/concerns/sessionless_authentication.rb | 6 | ||||
-rw-r--r-- | app/controllers/graphql_controller.rb | 8 | ||||
-rw-r--r-- | app/controllers/projects/branches_controller.rb | 2 | ||||
-rw-r--r-- | app/graphql/mutations/base_mutation.rb | 13 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 4 | ||||
-rw-r--r-- | app/services/auth/dependency_proxy_authentication_service.rb | 5 | ||||
-rw-r--r-- | app/services/issues/base_service.rb | 4 | ||||
-rw-r--r-- | app/services/projects/branches_by_mode_service.rb | 2 | ||||
-rw-r--r-- | app/views/projects/mirrors/_authentication_method.html.haml | 2 |
9 files changed, 37 insertions, 9 deletions
diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb index 882fef7a342..3c8a683439a 100644 --- a/app/controllers/concerns/sessionless_authentication.rb +++ b/app/controllers/concerns/sessionless_authentication.rb @@ -7,11 +7,15 @@ module SessionlessAuthentication # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens def authenticate_sessionless_user!(request_format) - user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format) + user = request_authenticator.find_sessionless_user(request_format) sessionless_sign_in(user) if user end + def request_authenticator + @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(request) + end + def sessionless_user? current_user && !session.key?('warden.user.user.key') end diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index a13ec1daddb..38bfb5ef2f8 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -110,7 +110,13 @@ class GraphqlController < ApplicationController end def context - @context ||= { current_user: current_user, is_sessionless_user: !!sessionless_user?, request: request } + api_user = !!sessionless_user? + @context ||= { + current_user: current_user, + is_sessionless_user: api_user, + request: request, + scope_validator: ::Gitlab::Auth::ScopeValidator.new(api_user, request_authenticator) + } end def build_variables(variable_info) diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb index f522dffdf3e..5006aa75ce5 100644 --- a/app/controllers/projects/branches_controller.rb +++ b/app/controllers/projects/branches_controller.rb @@ -185,7 +185,7 @@ class Projects::BranchesController < Projects::ApplicationController # Here we get one more branch to indicate if there are more data we're not showing limit = @overview_max_branches + 1 - if Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true) + if Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml) @active_branches = BranchesFinder.new(@repository, { per_page: limit, sort: sort_value_recently_updated }) .execute(gitaly_pagination: true).select(&:active?) diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb index 1f18a37fcb9..da658e1f108 100644 --- a/app/graphql/mutations/base_mutation.rb +++ b/app/graphql/mutations/base_mutation.rb @@ -44,9 +44,18 @@ module Mutations end end + def self.authorizes_object? + true + end + def self.authorized?(object, context) - # we never provide an object to mutations, but we do need to have a user. - context[:current_user].present? && !context[:current_user].blocked? + auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api) + + return true if auth.ok?(:global, context[:current_user], + scope_validator: context[:scope_validator]) + + # in our mutations we raise, rather than returning a null value. + raise_resource_not_available_error! end # See: AuthorizeResource#authorized_resource? diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 5ee34ebbb2f..d16c4734b2c 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -23,6 +23,7 @@ class GlobalPolicy < BasePolicy prevent :receive_notifications prevent :use_quick_actions prevent :create_group + prevent :execute_graphql_mutation end rule { default }.policy do @@ -32,6 +33,7 @@ class GlobalPolicy < BasePolicy enable :receive_notifications enable :use_quick_actions enable :use_slash_commands + enable :execute_graphql_mutation end rule { inactive }.policy do @@ -48,6 +50,8 @@ class GlobalPolicy < BasePolicy prevent :use_slash_commands end + rule { ~can?(:access_api) }.prevent :execute_graphql_mutation + rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do prevent :access_git end diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb index 1b8c16b7c79..fab42e0ebb6 100644 --- a/app/services/auth/dependency_proxy_authentication_service.rb +++ b/app/services/auth/dependency_proxy_authentication_service.rb @@ -8,7 +8,10 @@ module Auth def execute(authentication_abilities:) return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled - return error('access forbidden', 403) unless current_user + + # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this + # JWT only as `User.find`, we currently only allow User (not DeployToken, etc) + return error('access forbidden', 403) unless current_user.is_a?(User) { token: authorized_token.encoded } end diff --git a/app/services/issues/base_service.rb b/app/services/issues/base_service.rb index 87615d1b4f2..07e4a10708e 100644 --- a/app/services/issues/base_service.rb +++ b/app/services/issues/base_service.rb @@ -34,7 +34,7 @@ module Issues private - def filter_params(merge_request) + def filter_params(issue) super moved_issue = params.delete(:moved_issue) @@ -44,6 +44,8 @@ module Issues params.delete(:iid) unless current_user.can?(:set_issue_iid, project) params.delete(:created_at) unless moved_issue || current_user.can?(:set_issue_created_at, project) params.delete(:updated_at) unless moved_issue || current_user.can?(:set_issue_updated_at, project) + + issue.system_note_timestamp = params[:created_at] || params[:updated_at] end def create_assignee_note(issue, old_assignees) diff --git a/app/services/projects/branches_by_mode_service.rb b/app/services/projects/branches_by_mode_service.rb index dbdcef066f4..090671cc79a 100644 --- a/app/services/projects/branches_by_mode_service.rb +++ b/app/services/projects/branches_by_mode_service.rb @@ -37,7 +37,7 @@ class Projects::BranchesByModeService def use_gitaly_pagination? return false if params[:page].present? || params[:search].present? - Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true) + Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml) end def fetch_branches_via_offset_pagination diff --git a/app/views/projects/mirrors/_authentication_method.html.haml b/app/views/projects/mirrors/_authentication_method.html.haml index 94f8703657b..5f31ec4087e 100644 --- a/app/views/projects/mirrors/_authentication_method.html.haml +++ b/app/views/projects/mirrors/_authentication_method.html.haml @@ -13,4 +13,4 @@ .form-group .well-password-auth.collapse.js-well-password-auth = f.label :password, _("Password"), class: "label-bold" - = f.password_field :password, value: mirror.password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password' + = f.password_field :password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password' |