Add permission check to dashboards

Adds permission checks to the metrics_dashboard endpoint. Users with role of Reporter or above should have access to view the metrics for a given project.
author: Sarah Yasonik <syasonik@gitlab.com> 2019-06-27 13:54:29 +0300
committer: Rémy Coutable <remy@rymai.me> 2019-06-27 13:54:29 +0300
commit: 9c50cf03f5cfe5df5eff28edb80aa9fc1ab9fe6e (patch)
tree: 8c0c12fd13fba5585ad66033cc52bf6d343a512d /lib
parent: e7193f235643a4b53d82206a7771586bcc46c88a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/metrics/dashboard/base_service.rb b/lib/gitlab/metrics/dashboard/base_service.rb
index 90895eb237a..0628e82e592 100644
--- a/lib/gitlab/metrics/dashboard/base_service.rb
+++ b/lib/gitlab/metrics/dashboard/base_service.rb
@@ -10,6 +10,8 @@ module Gitlab
         NOT_FOUND_ERROR = Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError
 
         def get_dashboard
+          return error('Insufficient permissions.', :unauthorized) unless allowed?
+
           success(dashboard: process_dashboard)
         rescue NOT_FOUND_ERROR
           error("#{dashboard_path} could not be found.", :not_found)
@@ -30,6 +32,12 @@ module Gitlab
 
         private
 
+        # Determines whether users should be able to view
+        # dashboards at all.
+        def allowed?
+          Ability.allowed?(current_user, :read_environment, project)
+        end
+
         # Returns a new dashboard Hash, supplemented with DB info
         def process_dashboard
           Gitlab::Metrics::Dashboard::Processor
author	Sarah Yasonik <syasonik@gitlab.com>	2019-06-27 13:54:29 +0300
committer	Rémy Coutable <remy@rymai.me>	2019-06-27 13:54:29 +0300
commit	9c50cf03f5cfe5df5eff28edb80aa9fc1ab9fe6e (patch)
tree	8c0c12fd13fba5585ad66033cc52bf6d343a512d /lib
parent	e7193f235643a4b53d82206a7771586bcc46c88a (diff)