Skip user auth check in alerts_controller#notify
What does this MR do?
The AlertsController#notify API is hit by alertmanager when an alert occurs. There will never be a signed in user for that API.
But the current implementation checks if the current_user has permission to read the given project.
This MR changes it to not check for user permissions. Misuse is prevented by the token that is present in the request. The token in the request is checked against the project.alerting_setting.token
(line in code).
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process. -
EE specific content should be in the top level /ee
folder -
For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan? -
Security reports checked/validated by reviewer
Closes #9504 (closed)
Edited by Reuben Pereira