Check for register_project_runners permission in Ci::Runners::AssignRunnerService (!122215) · Merge requests · GitLab.org / GitLab

Pedro Pombeiro (OOO from July 16th till Aug 7th) requested to merge pedropombeiro/409470/check-permissions-at-service-level into master May 31, 2023

What does this MR do and why?

This MR tightens security checks around assigning runners to new projects by doing that check at the service level on Ci::Runners::AssignRunnerService. This is similar to the recent https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3233. All of the endpoints where this service is being called from are checking for admin user, so I'm doing this fix in the public repo.

Part of #409470 (closed), https://gitlab.com/gitlab-com/gl-security/rcas/-/issues/10

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 01, 2023 by Pedro Pombeiro (OOO from July 16th till Aug 7th)

Check for register_project_runners permission in Ci::Runners::AssignRunnerService

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports