Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
535761c9
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
535761c9
编写于
3月 22, 2019
作者:
S
Shinya Maeda
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Disallow guest users from accessing Releases
As they do not have a permission to read git tag
上级
9d826aed
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
46 addition
and
3 deletion
+46
-3
app/policies/project_policy.rb
app/policies/project_policy.rb
+1
-1
changelogs/unreleased/disallow-guests-to-access-releases.yml
changelogs/unreleased/disallow-guests-to-access-releases.yml
+5
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+2
-2
spec/requests/api/releases_spec.rb
spec/requests/api/releases_spec.rb
+38
-0
未找到文件。
app/policies/project_policy.rb
浏览文件 @
535761c9
...
...
@@ -178,7 +178,6 @@ class ProjectPolicy < BasePolicy
enable
:read_cycle_analytics
enable
:award_emoji
enable
:read_pages_content
enable
:read_release
end
# These abilities are not allowed to admins that are not members of the project,
...
...
@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy
enable
:read_deployment
enable
:read_merge_request
enable
:read_sentry_issue
enable
:read_release
end
# We define `:public_user_access` separately because there are cases in gitlab-ee
...
...
changelogs/unreleased/disallow-guests-to-access-releases.yml
0 → 100644
浏览文件 @
535761c9
---
title
:
Disallow guest users from accessing Releases
merge_request
:
author
:
type
:
security
spec/policies/project_policy_spec.rb
浏览文件 @
535761c9
...
...
@@ -15,7 +15,7 @@ describe ProjectPolicy do
read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji
read_release
award_emoji
]
end
...
...
@@ -24,7 +24,7 @@ describe ProjectPolicy do
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
read_merge_request download_wiki_code read_sentry_issue
read_release
]
end
...
...
spec/requests/api/releases_spec.rb
浏览文件 @
535761c9
...
...
@@ -4,12 +4,14 @@ describe API::Releases do
let
(
:project
)
{
create
(
:project
,
:repository
,
:private
)
}
let
(
:maintainer
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:non_project_member
)
{
create
(
:user
)
}
let
(
:commit
)
{
create
(
:commit
,
project:
project
)
}
before
do
project
.
add_maintainer
(
maintainer
)
project
.
add_reporter
(
reporter
)
project
.
add_guest
(
guest
)
project
.
repository
.
add_tag
(
maintainer
,
'v0.1'
,
commit
.
id
)
project
.
repository
.
add_tag
(
maintainer
,
'v0.2'
,
commit
.
id
)
...
...
@@ -66,6 +68,24 @@ describe API::Releases do
end
end
context
'when user is a guest'
do
it
'responds 403 Forbidden'
do
get
api
(
"/projects/
#{
project
.
id
}
/releases"
,
guest
)
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
context
'when project is public'
do
let
(
:project
)
{
create
(
:project
,
:repository
,
:public
)
}
it
'responds 200 OK'
do
get
api
(
"/projects/
#{
project
.
id
}
/releases"
,
guest
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
end
context
'when user is not a project member'
do
it
'cannot find the project'
do
get
api
(
"/projects/
#{
project
.
id
}
/releases"
,
non_project_member
)
...
...
@@ -189,6 +209,24 @@ describe API::Releases do
end
end
end
context
'when user is a guest'
do
it
'responds 403 Forbidden'
do
get
api
(
"/projects/
#{
project
.
id
}
/releases/v0.1"
,
guest
)
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
context
'when project is public'
do
let
(
:project
)
{
create
(
:project
,
:repository
,
:public
)
}
it
'responds 200 OK'
do
get
api
(
"/projects/
#{
project
.
id
}
/releases/v0.1"
,
guest
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
end
end
context
'when specified tag is not found in the project'
do
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录