Commit 996ad35b authored by Stan Hu's avatar Stan Hu

Merge branch 'fix-disabled-feature-access' into 'master'

Fix (i.e. prevent) access to disabled features for unauthenticated users

Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.

See merge request !1006
parents 3522018d 4a0e4c85
...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.14.0 (unreleased) v 7.14.0 (unreleased)
- Remove repository graph log to fix slow cache updates after push event (Stan Hu) - Remove repository graph log to fix slow cache updates after push event (Stan Hu)
- Fix label read access for unauthenticated users (Daniel Gerhardt) - Fix label read access for unauthenticated users (Daniel Gerhardt)
- Fix access to disabled features for unauthenticated users (Daniel Gerhardt)
- Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu) - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
- Fix file upload dialog for comment editing (Daniel Gerhardt) - Fix file upload dialog for comment editing (Daniel Gerhardt)
- Set OmniAuth full_host parameter to ensure redirect URIs are correct (Stan Hu) - Set OmniAuth full_host parameter to ensure redirect URIs are correct (Stan Hu)
......
...@@ -31,7 +31,7 @@ class Ability ...@@ -31,7 +31,7 @@ class Ability
end end
if project && project.public? if project && project.public?
[ rules = [
:read_project, :read_project,
:read_wiki, :read_wiki,
:read_issue, :read_issue,
...@@ -43,6 +43,8 @@ class Ability ...@@ -43,6 +43,8 @@ class Ability
:read_note, :read_note,
:download_code :download_code
] ]
rules - project_disabled_features_rules(project)
else else
group = if subject.kind_of?(Group) group = if subject.kind_of?(Group)
subject subject
...@@ -103,28 +105,7 @@ class Ability ...@@ -103,28 +105,7 @@ class Ability
rules -= project_archived_rules rules -= project_archived_rules
end end
unless project.issues_enabled rules - project_disabled_features_rules(project)
rules -= named_abilities('issue')
end
unless project.merge_requests_enabled
rules -= named_abilities('merge_request')
end
unless project.issues_enabled or project.merge_requests_enabled
rules -= named_abilities('label')
rules -= named_abilities('milestone')
end
unless project.snippets_enabled
rules -= named_abilities('project_snippet')
end
unless project.wiki_enabled
rules -= named_abilities('wiki')
end
rules
end end
end end
...@@ -206,6 +187,33 @@ class Ability ...@@ -206,6 +187,33 @@ class Ability
] ]
end end
def project_disabled_features_rules(project)
rules = []
unless project.issues_enabled
rules += named_abilities('issue')
end
unless project.merge_requests_enabled
rules += named_abilities('merge_request')
end
unless project.issues_enabled or project.merge_requests_enabled
rules += named_abilities('label')
rules += named_abilities('milestone')
end
unless project.snippets_enabled
rules += named_abilities('project_snippet')
end
unless project.wiki_enabled
rules += named_abilities('wiki')
end
rules
end
def group_abilities(user, group) def group_abilities(user, group)
rules = [] rules = []
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment