Skip to content
Snippets Groups Projects
Commit 84b81c03 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'jj-457235-promote-quick-action-prevent-non-member-17-1' into '17-1-stable-ee'

Prevent non-members from using promote_to quick action for quick actions

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4190



Merged-by: default avatarGitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: default avatarJaviera Tapia <jtapia@gitlab.com>
Co-authored-by: Joseph Wambua's avatarJoseph Wambua <jjoshua@gitlab.com>
parents e5025019 ce44d723
No related branches found
No related tags found
No related merge requests found
......@@ -116,6 +116,7 @@ def extract_work_items(params)
def validate_promote_to(type)
return error_msg(:not_found, action: 'promote') unless type && supports_promote_to?(type.name)
return error_msg(:forbidden, action: 'promote') unless promotion_allowed?
return if current_user.can?(:"create_#{type.base_type}", quick_action_target)
error_msg(:forbidden, action: 'promote')
......@@ -129,6 +130,10 @@ def supports_promotion?
current_type.base_type.in?(promote_to_map.keys)
end
def promotion_allowed?
current_user.can?(:update_work_item, quick_action_target)
end
def supports_promote_to?(type_name)
type_name == promote_to_map[current_type.base_type]
end
......
......@@ -533,6 +533,21 @@
end
end
context 'when user is not allowed to promote work item' do
let_it_be_with_reload(:noteable) { create(:work_item, :task, project: project) }
let_it_be(:note_text) { '/promote_to issue' }
let_it_be(:note) { create(:note, noteable: noteable, project: project, note: note_text) }
before do
project.team.find_member(maintainer.id).destroy!
project.update!(visibility: Gitlab::VisibilityLevel::PUBLIC)
end
it 'does not promote work item' do
expect { execute(note) }.not_to change { noteable.work_item_type.base_type }
end
end
context 'on a task' do
let_it_be_with_reload(:noteable) { create(:work_item, :task, project: project) }
let_it_be(:note_text) { '/promote_to Issue' }
......
......@@ -30,6 +30,7 @@
multiple_merge_request_reviewers: false,
multiple_merge_request_assignees: false
)
project.add_developer(current_user)
end
describe '#execute' do
......@@ -3540,6 +3541,16 @@
expect(explanations).to be_empty
end
end
context 'when promotion is not allowed' do
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:task) { build(:work_item, :task, project: public_project) }
it 'returns the forbidden error message' do
_, _, message = service.execute(content, task)
expect(message).to eq(_('Failed to promote this work item: You have insufficient permissions.'))
end
end
end
describe '/set_parent command' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment