Commit b8fd21f9 authored by Stan Hu's avatar Stan Hu

Fix 403 Access Denied error messages when accessing Labels section in a...

Fix 403 Access Denied error messages when accessing Labels section in a project that has MRs disabled but issues enabled

Closes #1813
parent 71559a5f
......@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base
end
def after_sign_out_path_for(resource)
current_application_settings.after_sign_out_path || new_user_session_path
current_application_settings.after_sign_out_path || new_user_session_path
end
def abilities
......@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base
return access_denied! unless can?(current_user, action, project)
end
def authorize_labels!
# Labels should be accessible for issues and/or merge requests
authorize_read_issue! || authorize_read_merge_request!
end
def access_denied!
render "errors/access_denied", layout: "errors", status: 404
end
......
class Projects::LabelsController < Projects::ApplicationController
before_action :module_enabled
before_action :label, only: [:edit, :update, :destroy]
before_action :authorize_labels!
before_action :authorize_read_label!
before_action :authorize_admin_labels!, except: [:index]
respond_to :js, :html
......
......@@ -138,6 +138,7 @@ class Ability
:read_project,
:read_wiki,
:read_issue,
:read_label,
:read_milestone,
:read_project_snippet,
:read_project_member,
......
......@@ -30,4 +30,44 @@ describe ApplicationController do
controller.send(:check_password_expiration)
end
end
describe 'check labels authorization' do
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:controller) { ApplicationController.new }
before do
project.team << [user, :guest]
allow(controller).to receive(:current_user).and_return(user)
allow(controller).to receive(:project).and_return(project)
end
it 'should succeed if issues and MRs are enabled' do
project.issues_enabled = true
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are enabled, MRs are disabled' do
project.issues_enabled = true
project.merge_requests_enabled = false
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are disabled, MRs are enabled' do
project.issues_enabled = false
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should fail if issues and MRs are disabled' do
project.issues_enabled = false
project.merge_requests_enabled = false
expect(controller).to receive(:access_denied!)
controller.send(:authorize_read_label!)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment