Withdraw abilities when organization does not match current organization
What does this MR do and why?
This MR will drop all abilities on a subject when Current.organization does not match the organization of the subject.
Currently, only subjects that have organization_id of a sharding key are supported.
There are a lot of spec changes. Most of them because data is accessed cross-organization, which this MR will prevent. And in some cases, I switched to using an admin user because they can still access data across organizations.
Exceptions
We will not drop abilities when:
- Feature flag
current_organization_policyis disabled - Current user is an Instance Admin
- The subject is an
Organizations::Organizationsinstance - The subject does not have a sharding key that refers to
organizationstable - The subject
organization_idisnil -
Current.organizationis not assigned or hasnilassigned
References
How to set up and validate locally
Preparation: using Rails console:
- Enable the flag:
Feature.enable(:current_organization_policy) - Create an organization:
Organizations::Organization.create!(name: 'My Org', path: 'my-org')
We will create a personal snippet because they are scoped to an organization
- Impersonate as a non-admin user (instance admins still have access)
- http://gdk.test:3000/-/snippets/new
- Create the snippet. It will be part of the Default Organization
- Use the rails console to update the Organization:
Snippet.last.update!(organization: Organizations::Organization.find_by(path: 'my -org')) - http://gdk.test:3000/dashboard/snippets The snippet is still listed (There is no permission check so all snippets owned by the user are visible)
- Try to view the snippet -> it will show a 404
- Switch to master branch
- Reload -> the snippet is now visible
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Rémy Coutable