[go: up one dir, main page]

Prevent personal snippet creation for enterprise users when disallowed

Fred Reininkrequested to merge
freinink/552393-disallow-personal-snippets-per-setting into master

What does this MR do and why?

Prevent personal snippet creation for enterprise users when disallowed

This restriction does not apply to project snippets. Since personal snippets don't really "belong" to a resource, and the existing personal snippet authorization checks authorize against the global subject, we do the same thing here and add the new policy to GlobalPolicy.

I plan to follow this change up with a corresponding documentation update.

References

Resolves #552393

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Simulate SaaS on your local environment
  2. From the rails console Feature.enable(:allow_personal_snippets_setting)
  3. Go to a group with an active subscription. The Gitlab Duo top-level group should have an ultimate subscription. If this group doesn't exist, I believe it can be created with rake gitlab:duo:setup
  4. Under Permissions and group features, uncheck the Allow personal snippets box.
  5. There's probably a better way to simulate an enterprise user, but I couldn't find one documented. Instead, I manually set the enterprise group of my user to be the group id of the Gitlab Duo group.
group = Group.find(<Gitlab Duo group id>)
user = User.find(<your user id>)
user.update!(enterprise_group: group)
  1. Using the + menu on the top right, there does not exist an option to create a new snippet "In Gitlab"
  2. Create a project in the group
  3. Successfully create a snippet in the project
  4. Attempt to create a personal snippet via the api and receive a The resource that you are attempting to access does not exist or you don't have permission to perform this action" error
curl --request POST \
  --url http://localhost:3000/api/graphql \
  --header "PRIVATE-TOKEN: <token>" \
  --header "Content-Type: application/json" \
  --data '{"query":"mutation { createSnippet(input: { title: \"My Snippet\", description: \"A test snippet\", visibilityLevel: private, blobActions: [{action: create, filePath: \"example.txt\", content: \"Hello World\"}] }) { snippet { id title description visibilityLevel } errors } }"}'
  1. Successfully create a project snippet via the api
curl --request POST \
    --url http://localhost:3000/api/graphql \
  --header "PRIVATE-TOKEN: <token>" \
  --header "Content-Type: application/json" \
  --data '{"query":"mutation { createSnippet(input: { title: \"My Project Snippet\", description: \"A test project snippet\", projectPath: \"<project_path>\", visibilityLevel: private, blobActions: [{action: create, filePath: \"example.txt\", content: \"Hello World\"}] }) { snippet { id title description visibilityLevel } errors } }"}'
  1. Check the Allow personal snippets box, and successfully create a personal snippet.
  2. Cleanup by removing your user from the enterprise group user.update!(enterprise_group: nil)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Fred Reinink

Merge request reports