diff options
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.checksum | 2 | ||||
-rw-r--r-- | Gemfile.lock | 4 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
-rw-r--r-- | doc/user/application_security/dast/proxy-based.md | 3 | ||||
-rw-r--r-- | lib/api/entities/project_import_status.rb | 11 | ||||
-rw-r--r-- | lib/api/project_import.rb | 8 | ||||
-rw-r--r-- | locale/gitlab.pot | 6 | ||||
-rw-r--r-- | spec/lib/api/entities/project_import_status_spec.rb | 38 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 11 |
10 files changed, 68 insertions, 18 deletions
@@ -183,7 +183,7 @@ gem 'typhoeus', '~> 1.4.0' # Used with Elasticsearch to support http keep-alive gem 'html-pipeline', '~> 2.14.3' gem 'deckar01-task_list', '2.3.2' gem 'gitlab-markup', '~> 1.9.0', require: 'github/markup' -gem 'commonmarker', '~> 0.23.9' +gem 'commonmarker', '~> 0.23.10' gem 'kramdown', '~> 2.3.1' gem 'RedCloth', '~> 4.3.2' gem 'rdoc', '~> 6.3.2' diff --git a/Gemfile.checksum b/Gemfile.checksum index b2c07e5a201..9d41d8915f7 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -84,7 +84,7 @@ {"name":"coderay","version":"1.1.3","platform":"ruby","checksum":"dc530018a4684512f8f38143cd2a096c9f02a1fc2459edcfe534787a7fc77d4b"}, {"name":"coercible","version":"1.0.0","platform":"ruby","checksum":"5081ad24352cc8435ce5472bc2faa30260c7ea7f2102cc6a9f167c4d9bffaadc"}, {"name":"colored2","version":"3.1.2","platform":"ruby","checksum":"b13c2bd7eeae2cf7356a62501d398e72fde78780bd26aec6a979578293c28b4a"}, -{"name":"commonmarker","version":"0.23.9","platform":"ruby","checksum":"2e739c85a6961531cb6f5ba5169f2c7f64471b7e700c64b048ec22a5b230811c"}, +{"name":"commonmarker","version":"0.23.10","platform":"ruby","checksum":"fdd312ae2bb4071b2f3085d4d7533cb9f8d9057a2eaa0760228a65bc3ed565d1"}, {"name":"concurrent-ruby","version":"1.2.2","platform":"ruby","checksum":"3879119b8b75e3b62616acc256c64a134d0b0a7a9a3fcba5a233025bcde22c4f"}, {"name":"connection_pool","version":"2.3.0","platform":"ruby","checksum":"677985be912f33c90f98f229aaa0c0ddb2ef8776f21929a36eeeb25251c944da"}, {"name":"cork","version":"0.3.0","platform":"ruby","checksum":"a0a0ac50e262f8514d1abe0a14e95e71c98b24e3378690e5d044daf0013ad4bc"}, diff --git a/Gemfile.lock b/Gemfile.lock index 3aaf6a45930..b056d21a752 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -307,7 +307,7 @@ GEM coercible (1.0.0) descendants_tracker (~> 0.0.1) colored2 (3.1.2) - commonmarker (0.23.9) + commonmarker (0.23.10) concurrent-ruby (1.2.2) connection_pool (2.3.0) cork (0.3.0) @@ -1701,7 +1701,7 @@ DEPENDENCIES charlock_holmes (~> 0.7.7) circuitbox (= 2.0.0) cloud_profiler_agent (~> 0.0.0)! - commonmarker (~> 0.23.9) + commonmarker (~> 0.23.10) concurrent-ruby (~> 1.1) connection_pool (~> 2.0) countries (~> 4.0.0) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index c70dc288710..f4bba70e3cf 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -561,6 +561,7 @@ class ProjectPolicy < BasePolicy enable :destroy_upload enable :admin_incident_management_timeline_event_tag enable :stop_environment + enable :read_import_error end rule { public_project & metrics_dashboard_allowed }.policy do diff --git a/doc/user/application_security/dast/proxy-based.md b/doc/user/application_security/dast/proxy-based.md index 499efd3f60d..77ab71057d2 100644 --- a/doc/user/application_security/dast/proxy-based.md +++ b/doc/user/application_security/dast/proxy-based.md @@ -684,6 +684,9 @@ If a site profile is linked to a security policy, a user cannot edit the profile [Scan execution policies](../policies/scan-execution-policies.md) for more information. +NOTE: +If a site profile's Target URL or Authenticated URL is updated, the request headers and password fields associated with that profile are cleared. + When a validated site profile's file, header, or meta tag is edited, the site's [validation status](#site-profile-validation) is revoked. diff --git a/lib/api/entities/project_import_status.rb b/lib/api/entities/project_import_status.rb index 59388aacafd..a7e7cd9ff73 100644 --- a/lib/api/entities/project_import_status.rb +++ b/lib/api/entities/project_import_status.rb @@ -17,8 +17,15 @@ module API project.import_state&.relation_hard_failures(limit: 100) || [] end - expose :import_error, documentation: { type: 'string', example: 'Error message' } do |project, _options| - project.import_state&.last_error + expose :import_error, documentation: { type: 'string', example: 'Error message' } do |project, options| + next unless options[:current_user] + next unless project.import_state&.last_error + + if Ability.allowed?(options[:current_user], :read_import_error, project) + project.import_state&.last_error + else + _("Ask a maintainer to check the import status for more details.") + end end expose :stats, documentation: { type: 'object' } do |project, _options| diff --git a/lib/api/project_import.rb b/lib/api/project_import.rb index 6639b3ec346..c28d0ae2def 100644 --- a/lib/api/project_import.rb +++ b/lib/api/project_import.rb @@ -111,7 +111,7 @@ module API ).execute if response.success? - present(response.payload, with: Entities::ProjectImportStatus) + present(response.payload, with: Entities::ProjectImportStatus, current_user: current_user) else render_api_error!(response.message, response.http_status) end @@ -134,7 +134,7 @@ module API end route_setting :skip_authentication, true get ':id/import' do - present user_project, with: Entities::ProjectImportStatus + present user_project, with: Entities::ProjectImportStatus, current_user: current_user end params do @@ -182,7 +182,7 @@ module API ).execute if response.success? - present(response.payload, with: Entities::ProjectImportStatus) + present(response.payload, with: Entities::ProjectImportStatus, current_user: current_user) else render_api_error!(response.message, response.http_status) end @@ -241,7 +241,7 @@ module API ).execute if response.success? - present(response.payload, with: Entities::ProjectImportStatus) + present(response.payload, with: Entities::ProjectImportStatus, current_user: current_user) else render_api_error!(response.message, response.http_status) end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index eb0c61c1924..f9834b74482 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -6300,6 +6300,9 @@ msgstr "" msgid "AsanaService|User Personal Access Token. User must have access to the task. All comments are attributed to this user." msgstr "" +msgid "Ask a maintainer to check the import status for more details." +msgstr "" + msgid "Ask again later" msgstr "" @@ -14215,6 +14218,9 @@ msgstr "" msgid "DastProfiles|Minimum = 1 second, Maximum = 3600 seconds" msgstr "" +msgid "DastProfiles|Modifying the URL will clear any previously entered values for the additional request headers and password fields." +msgstr "" + msgid "DastProfiles|Monitors all HTTP requests sent to the target to find potential vulnerabilities." msgstr "" diff --git a/spec/lib/api/entities/project_import_status_spec.rb b/spec/lib/api/entities/project_import_status_spec.rb index 37a18718950..5d7f06dc78e 100644 --- a/spec/lib/api/entities/project_import_status_spec.rb +++ b/spec/lib/api/entities/project_import_status_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe API::Entities::ProjectImportStatus, :aggregate_failures do +RSpec.describe API::Entities::ProjectImportStatus, :aggregate_failures, feature_category: :importers do describe '#as_json' do subject { entity.as_json } @@ -67,14 +67,36 @@ RSpec.describe API::Entities::ProjectImportStatus, :aggregate_failures do context 'when import has failed' do let(:project) { create(:project, :import_failed, import_type: 'import_type', import_correlation_id: correlation_id, import_last_error: 'error') } - let(:entity) { described_class.new(project) } + let(:current_user) { create(:user) } + let(:options) { { current_user: current_user } } + let(:entity) { described_class.new(project, options) } + + context 'when user has access to read import status' do + before do + project.add_maintainer(current_user) + end + + it 'includes basic fields with import error' do + expect(subject[:import_status]).to eq('failed') + expect(subject[:import_type]).to eq('import_type') + expect(subject[:correlation_id]).to eq(correlation_id) + expect(subject[:import_error]).to eq('error') + expect(subject[:failed_relations]).to eq([]) + end + end - it 'includes basic fields with import error' do - expect(subject[:import_status]).to eq('failed') - expect(subject[:import_type]).to eq('import_type') - expect(subject[:correlation_id]).to eq(correlation_id) - expect(subject[:import_error]).to eq('error') - expect(subject[:failed_relations]).to eq([]) + context 'when user does not have access to read import status' do + before do + project.add_reporter(current_user) + end + + it 'includes basic fields with import error' do + expect(subject[:import_status]).to eq('failed') + expect(subject[:import_type]).to eq('import_type') + expect(subject[:correlation_id]).to eq(correlation_id) + expect(subject[:import_error]).to eq('Ask a maintainer to check the import status for more details.') + expect(subject[:failed_relations]).to eq([]) + end end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index ee8d811971a..210c1df5ca3 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -578,6 +578,11 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do expect(described_class.new(maintainer, project)).to be_allowed(:admin_incident_management_timeline_event_tag) expect(described_class.new(owner, project)).to be_allowed(:admin_incident_management_timeline_event_tag) end + + it 'allows to read import error' do + expect(described_class.new(maintainer, project)).to be_allowed(:read_import_error) + expect(described_class.new(owner, project)).to be_allowed(:read_import_error) + end end context 'when user is a developer/guest/reporter' do @@ -586,6 +591,12 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do expect(described_class.new(guest, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) expect(described_class.new(reporter, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) end + + it 'disallows reading the import error' do + expect(described_class.new(developer, project)).to be_disallowed(:read_import_error) + expect(described_class.new(guest, project)).to be_disallowed(:read_import_error) + expect(described_class.new(reporter, project)).to be_disallowed(:read_import_error) + end end context 'when user is not a member of the project' do |