Add `:read_commit_status` field authorization to Pipeline fields that can return jobs
See: #325693 (closed)
In summary: The user is able to :read_pipeline
, but NOT read_commit_status
. The reason for this is that :read_pipeline
requires only guest
access, but :read_commit_status
requires reporter
access, and the affected users (I checked a few) have guest
access.
Evidence is supplied below, from a debug session on a prod console (logs scrubbed for identifiers):
[ gprd ] production> pl = Ci::Pipeline.find(PIPELINE)
=> #<Ci::Pipeline id: PIPELINE, ref: "SOME_BRANCH_NAME", sha: "...">
[ gprd ] production> u = User.find(USER)
=> #<User id:USER @USER>
[ gprd ] production> Ability.allowed?(u, :read_pipeline, pl)
=> true
[ gprd ] production> Ability.allowed?(u, :read_commit_status, pl)
=> false
[ gprd ] production> pol = Ability.policy_for(u, pl)
=> #<Ci::PipelinePolicy (@USER : Ci::Pipeline/PIPELINE)>
[ gprd ] production> pol.debug(:read_pipeline)
- [0] prevent when all?(anonymous, ~public_project) ((@USER : Project/PROJECT))
- [0] prevent when repository_disabled ((@USER : Project/PROJECT))
- [0] prevent when repository_disabled ((@USER : Project/PROJECT))
- [0] prevent when all?(builds_disabled, ~internal_builds_disabled) ((@USER : Project/PROJECT))
- [0] enable when can?(:public_access) ((@USER : Project/PROJECT))
- [0] prevent when all?(~can?(:read_build), ~external_pipeline) ((@USER : Ci::Pipeline/PIPELINE))
- [0] enable when can?(:reporter_access) ((@USER : Project/PROJECT))
+ [0] enable when all?(public_builds, can?(:guest_access)) ((@USER : Project/PROJECT))
=> #<DeclarativePolicy::Runner::State:0x00007fdce25810a8 @enabled=true, @prevented=false>
[ gprd ] production> pol.debug(:read_commit_status)
- [0] enable when can?(:reporter_access) ((@USER : Project/PROJECT))
- [0] prevent when all?(builds_disabled, ~internal_builds_disabled) ((@USER : Project/PROJECT))
- [0] prevent when repository_disabled ((@USER : Project/PROJECT))
- [0] prevent when repository_disabled ((@USER : Project/PROJECT))
- [0] enable when can?(:public_access) ((@USER : Project/PROJECT))
[0] prevent when all?(anonymous, ~public_project) ((@USER : Project/PROJECT))
=> #<DeclarativePolicy::Runner::State:0x00007fdce2883d50 @enabled=false, @prevented=true>
backend recommendation: add :read_commit_status
field authorization checks to the following fields:
Pipeline.jobs
Pipeline.job
Pipeline.stages