fix!: GitLab repository branch prefix can be updated by any user

This closes request #28848 GitLab repository branch prefix can be updated by any user

Any user is able to update the branch prefix of any GitLab repository integration
using the REST route PATCH /gitlab_repositories/{id}.

This is wrong, only Git adminsitrators must be allowed to do that.

Change-Id: I70febc7cc3b49d5687d8f6a3f1a061710f6cf5ef

plugins/gitlab/include/Artifact/Action/CreateBranchPrefixUpdater.php

@@ -21,6 +21,9 @@
 
 namespace Tuleap\Gitlab\Artifact\Action;
 
+use GitPermissionsManager;
+use GitUserNotAdminException;
+use PFUser;
 use Tuleap\Git\Branch\BranchName;
 use Tuleap\Git\Branch\InvalidBranchNameException;
 use Tuleap\Gitlab\Repository\GitlabRepositoryIntegrationFactory;
@@ -32,21 +35,28 @@ final class CreateBranchPrefixUpdater
 
     public function __construct(
         private GitlabRepositoryIntegrationFactory $integration_factory,
+        private GitPermissionsManager $git_permissions_manager,
         private SaveIntegrationBranchPrefix $branch_prefix_saver,
     ) {
     }
 
     /**
      * @throws GitlabRepositoryIntegrationNotFoundException
      * @throws InvalidBranchNameException
+     * @throws GitUserNotAdminException
      */
-    public function updateBranchPrefix(int $integration_id, string $prefix): void
+    public function updateBranchPrefix(PFUser $user, int $integration_id, string $prefix): void
     {
         $gitlab_repository = $this->integration_factory->getIntegrationById($integration_id);
         if (! $gitlab_repository) {
             throw new GitlabRepositoryIntegrationNotFoundException($integration_id);
         }
 
+        $project = $gitlab_repository->getProject();
+        if (! $this->git_permissions_manager->userIsGitAdmin($user, $project)) {
+            throw new GitUserNotAdminException();
+        }
+
         BranchName::fromBranchNameShortHand($prefix . self::FAKE_BRANCH_NAME);
 
         $this->branch_prefix_saver->setCreateBranchPrefixForIntegration(

plugins/gitlab/include/REST/v1/GitlabRepositoryResource.php

@@ -473,13 +473,15 @@ protected function patchId(
             $prefix_updater = new CreateBranchPrefixUpdater(
                 new GitlabRepositoryIntegrationFactory(
                     new GitlabRepositoryIntegrationDao(),
-                    ProjectManager::instance()
+                    ProjectManager::instance(),
                 ),
-                new CreateBranchPrefixDao()
+                $this->getGitPermissionsManager(),
+                new CreateBranchPrefixDao(),
             );
 
             try {
                 $prefix_updater->updateBranchPrefix(
+                    $current_user,
                     $id,
                     $patch_representation->create_branch_prefix
                 );
@@ -490,6 +492,8 @@ protected function patchId(
                     400,
                     $exception->getMessage()
                 );
+            } catch (GitUserNotAdminException $exception) {
+                throw new RestException(401, "User must be Git administrator.");
             }
         }
 

plugins/gitlab/tests/unit/Artifact/Action/CreateBranchPrefixUpdaterTest.php

@@ -22,11 +22,14 @@
 
 namespace Tuleap\Gitlab\Artifact\Action;
 
+use GitPermissionsManager;
+use GitUserNotAdminException;
 use Tuleap\Git\Branch\InvalidBranchNameException;
 use Tuleap\Gitlab\Repository\GitlabRepositoryIntegrationFactory;
 use Tuleap\Gitlab\Repository\GitlabRepositoryIntegrationNotFoundException;
 use Tuleap\Gitlab\Test\Builder\RepositoryIntegrationBuilder;
 use Tuleap\Gitlab\Test\Stubs\SaveIntegrationBranchPrefixStub;
+use Tuleap\Test\Builders\UserTestBuilder;
 use Tuleap\Test\PHPUnit\TestCase;
 
 final class CreateBranchPrefixUpdaterTest extends TestCase
@@ -38,11 +41,16 @@ final class CreateBranchPrefixUpdaterTest extends TestCase
     private $integration_factory;
     private SaveIntegrationBranchPrefixStub $branch_prefix_saver;
     private string $branch_prefix;
+    /**
+     * @var GitPermissionsManager&\PHPUnit\Framework\MockObject\MockObject
+     */
+    private $git_permissions_manager;
 
     protected function setUp(): void
     {
-        $this->integration_factory = $this->createMock(GitlabRepositoryIntegrationFactory::class);
-        $this->branch_prefix_saver = SaveIntegrationBranchPrefixStub::withCallCount();
+        $this->integration_factory     = $this->createMock(GitlabRepositoryIntegrationFactory::class);
+        $this->git_permissions_manager = $this->createMock(GitPermissionsManager::class);
+        $this->branch_prefix_saver     = SaveIntegrationBranchPrefixStub::withCallCount();
 
         $this->branch_prefix = 'dev-';
     }
@@ -51,10 +59,15 @@ private function updateBranchPrefix(): void
     {
         $updater = new CreateBranchPrefixUpdater(
             $this->integration_factory,
-            $this->branch_prefix_saver
+            $this->git_permissions_manager,
+            $this->branch_prefix_saver,
         );
 
-        $updater->updateBranchPrefix(self::INTEGRATION_ID, $this->branch_prefix);
+        $updater->updateBranchPrefix(
+            UserTestBuilder::anActiveUser()->build(),
+            self::INTEGRATION_ID,
+            $this->branch_prefix,
+        );
     }
 
     public function testItStoresTheBranchPrefix(): void
@@ -65,6 +78,11 @@ public function testItStoresTheBranchPrefix(): void
             ->with(self::INTEGRATION_ID)
             ->willReturn(RepositoryIntegrationBuilder::aGitlabRepositoryIntegration(self::INTEGRATION_ID)->build());
 
+        $this->git_permissions_manager
+            ->expects(self::once())
+            ->method('userIsGitAdmin')
+            ->willReturn(true);
+
         $this->updateBranchPrefix();
 
         self::assertSame(1, $this->branch_prefix_saver->getCallCount());
@@ -78,6 +96,11 @@ public function testItStoresTheBranchPrefixWithSomeSpecialChars(): void
             ->with(self::INTEGRATION_ID)
             ->willReturn(RepositoryIntegrationBuilder::aGitlabRepositoryIntegration(self::INTEGRATION_ID)->build());
 
+        $this->git_permissions_manager
+            ->expects(self::once())
+            ->method('userIsGitAdmin')
+            ->willReturn(true);
+
         $this->branch_prefix = 'dev/';
         $this->updateBranchPrefix();
 
@@ -98,6 +121,25 @@ public function testItThrowsAnExceptionIfIntegrationNotFoundTheBranchPrefix(): v
         self::assertSame(0, $this->branch_prefix_saver->getCallCount());
     }
 
+    public function testItThrowsAnExceptionIfUserIsNotGitAdministrator(): void
+    {
+        $this->integration_factory
+            ->expects(self::once())
+            ->method('getIntegrationById')
+            ->with(self::INTEGRATION_ID)
+            ->willReturn(RepositoryIntegrationBuilder::aGitlabRepositoryIntegration(self::INTEGRATION_ID)->build());
+
+        $this->git_permissions_manager
+            ->expects(self::once())
+            ->method('userIsGitAdmin')
+            ->willReturn(false);
+
+        $this->expectException(GitUserNotAdminException::class);
+        $this->updateBranchPrefix();
+
+        self::assertSame(0, $this->branch_prefix_saver->getCallCount());
+    }
+
     public function testItThrowsAnExceptionIfBranchPrefixIsNotValid(): void
     {
         $this->integration_factory
@@ -106,6 +148,11 @@ public function testItThrowsAnExceptionIfBranchPrefixIsNotValid(): void
             ->with(self::INTEGRATION_ID)
             ->willReturn(RepositoryIntegrationBuilder::aGitlabRepositoryIntegration(self::INTEGRATION_ID)->build());
 
+        $this->git_permissions_manager
+            ->expects(self::once())
+            ->method('userIsGitAdmin')
+            ->willReturn(true);
+
         $this->branch_prefix = 'dev:';
 
         $this->expectException(InvalidBranchNameException::class);