Commit 68fd66c6 authored by Job van der Voort's avatar Job van der Voort

block visibility level restriction override in controller

parent d4180875
...@@ -23,7 +23,21 @@ module Gitlab ...@@ -23,7 +23,21 @@ module Gitlab
end end
def allowed_for?(user, level) def allowed_for?(user, level)
user.is_admin? || !Gitlab.config.gitlab.restricted_visibility_levels.include?(level) user.is_admin? || allowed_level?(level)
end
# Level can be a string `"public"` or a value `20`, first check if valid,
# then check if the corresponding string appears in the config
def allowed_level?(level)
if options.has_key?(level.to_s)
non_restricted_level?(level)
elsif options.has_value?(level.to_i)
non_restricted_level?(options.key(level.to_i).downcase)
end
end
def non_restricted_level?(level)
! Gitlab.config.gitlab.restricted_visibility_levels.include?(level)
end end
end end
......
...@@ -48,7 +48,7 @@ describe Projects::UpdateService do ...@@ -48,7 +48,7 @@ describe Projects::UpdateService do
context 'respect configured visibility restrictions setting' do context 'respect configured visibility restrictions setting' do
before(:each) do before(:each) do
@restrictions = double("restrictions") @restrictions = double("restrictions")
@restrictions.stub(:restricted_visibility_levels) { [ Gitlab::VisibilityLevel::PUBLIC ] } @restrictions.stub(:restricted_visibility_levels) { [ "public" ] }
Settings.stub_chain(:gitlab).and_return(@restrictions) Settings.stub_chain(:gitlab).and_return(@restrictions)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment