From 7e9c479f7de77702622631cff2628a9c8dcbc627 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 19 Nov 2020 08:27:35 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-6-stable-ee --- .../personal_access_tokens/create_service.rb | 27 ++++++++++++++++++---- .../personal_access_tokens/revoke_service.rb | 11 ++++++--- 2 files changed, 30 insertions(+), 8 deletions(-) (limited to 'app/services/personal_access_tokens') diff --git a/app/services/personal_access_tokens/create_service.rb b/app/services/personal_access_tokens/create_service.rb index ff9bb7d6802..93a0135669f 100644 --- a/app/services/personal_access_tokens/create_service.rb +++ b/app/services/personal_access_tokens/create_service.rb @@ -2,23 +2,30 @@ module PersonalAccessTokens class CreateService < BaseService - def initialize(current_user, params = {}) + def initialize(current_user:, target_user:, params: {}) @current_user = current_user + @target_user = target_user @params = params.dup + @ip_address = @params.delete(:ip_address) end def execute - personal_access_token = current_user.personal_access_tokens.create(params.slice(*allowed_params)) + return ServiceResponse.error(message: 'Not permitted to create') unless creation_permitted? - if personal_access_token.persisted? - ServiceResponse.success(payload: { personal_access_token: personal_access_token }) + token = target_user.personal_access_tokens.create(params.slice(*allowed_params)) + + if token.persisted? + log_event(token) + ServiceResponse.success(payload: { personal_access_token: token }) else - ServiceResponse.error(message: personal_access_token.errors.full_messages.to_sentence) + ServiceResponse.error(message: token.errors.full_messages.to_sentence, payload: { personal_access_token: token }) end end private + attr_reader :target_user, :ip_address + def allowed_params [ :name, @@ -27,5 +34,15 @@ module PersonalAccessTokens :expires_at ] end + + def creation_permitted? + Ability.allowed?(current_user, :create_user_personal_access_token, target_user) + end + + def log_event(token) + log_info("PAT CREATION: created_by: '#{current_user.username}', created_for: '#{token.user.username}', token_id: '#{token.id}'") + end end end + +PersonalAccessTokens::CreateService.prepend_if_ee('EE::PersonalAccessTokens::CreateService') diff --git a/app/services/personal_access_tokens/revoke_service.rb b/app/services/personal_access_tokens/revoke_service.rb index 17405002d8d..34d542acab1 100644 --- a/app/services/personal_access_tokens/revoke_service.rb +++ b/app/services/personal_access_tokens/revoke_service.rb @@ -4,16 +4,17 @@ module PersonalAccessTokens class RevokeService attr_reader :token, :current_user, :group - def initialize(current_user = nil, params = { token: nil, group: nil }) + def initialize(current_user = nil, token: nil, group: nil ) @current_user = current_user - @token = params[:token] - @group = params[:group] + @token = token + @group = group end def execute return ServiceResponse.error(message: 'Not permitted to revoke') unless revocation_permitted? if token.revoke! + log_event ServiceResponse.success(message: success_message) else ServiceResponse.error(message: error_message) @@ -33,6 +34,10 @@ module PersonalAccessTokens def revocation_permitted? Ability.allowed?(current_user, :revoke_token, token) end + + def log_event + Gitlab::AppLogger.info("PAT REVOCATION: revoked_by: '#{current_user.username}', revoked_for: '#{token.user.username}', token_id: '#{token.id}'") + end end end -- cgit v1.2.3