Add warning when external user accesses internal catalog project

Changelog: other

Add warning when external user accesses internal catalog project
5128a652 · Kenneth Chu · 066125db · 5128a652 · 5128a652
Commit 5128a652 authored 6 months ago by Kenneth Chu
--- a/app/services/ci/components/fetch_service.rb
+++ b/app/services/ci/components/fetch_service.rb
@@ -42,9 +42,15 @@ def execute
          ServiceResponse.error(message: "#{error_prefix} content not found", reason: :content_not_found)
        end
      rescue Gitlab::Access::AccessDeniedError
-        ServiceResponse.error(
-          message: "#{error_prefix} project does not exist or you don't have sufficient permissions",
-          reason: :not_allowed)
+        if current_user.external? && component_path.project.internal?
+          ServiceResponse.error(
+            message: "#{error_prefix} project is `Internal`, it cannot be accessed by an External User",
+            reason: :not_allowed)
+        else
+          ServiceResponse.error(
+            message: "#{error_prefix} project does not exist or you don't have sufficient permissions",
+            reason: :not_allowed)
+        end
      end

      private

--- a/spec/services/ci/components/fetch_service_spec.rb
+++ b/spec/services/ci/components/fetch_service_spec.rb
@@ -64,9 +64,42 @@
        let(:version) { 'master' }
        let(:current_user) { create(:user) }

-        it 'returns an error' do
+        it 'returns a generic error response' do
          expect(result).to be_error
          expect(result.reason).to eq(:not_allowed)
+          expect(result.message)
+            .to eq(
+              "component '#{address}' - " \
+              "project does not exist or you don't have sufficient permissions"
+            )
+        end
+
+        context 'when the user is external and the project is internal' do
+          let(:current_user) { create(:user, :external) }
+          let(:project) do
+            project = create(
+              :project, :custom_repo, :internal,
+              files: {
+                'templates/component/template.yml' => content
+              }
+            )
+            project.repository.add_tag(project.creator, 'v0.1', project.repository.commit.sha)
+
+            create(:release, project: project, tag: 'v0.1', sha: project.repository.commit.sha)
+            create(:ci_catalog_resource, project: project)
+
+            project
+          end
+
+          it 'returns an error response for external user accessing internal project' do
+            expect(result).to be_error
+            expect(result.reason).to eq(:not_allowed)
+            expect(result.message)
+              .to eq(
+                "component '#{address}' - " \
+                "project is `Internal`, it cannot be accessed by an External User"
+              )
+          end
        end
      end