Commit 28dabc67 authored by Thong Kuah's avatar Thong Kuah

Restore 403 functionality for external auth (EE)

When we unhooked ClustersController from
Project::ApplicationsController, we missed an EE override to
handle_not_found_or_authorized.

Rather than carry on with override RoutingActions, make a specific proc
for Project that we override in EE instead. Use that proc in both
Clusters::BaseController and Project::ApplicationsController.
parent 1163b235
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
class Clusters::BaseController < ApplicationController class Clusters::BaseController < ApplicationController
include RoutableActions include RoutableActions
include ProjectUnauthorized
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
before_action :require_project_id before_action :require_project_id
...@@ -21,7 +22,7 @@ class Clusters::BaseController < ApplicationController ...@@ -21,7 +22,7 @@ class Clusters::BaseController < ApplicationController
end end
def project def project
@project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id])) @project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id]), not_found_or_authorized_proc: project_unauthorized_proc)
end end
def repository def repository
......
# frozen_string_literal: true
module ProjectUnauthorized
extend ActiveSupport::Concern
# EE would override this
def project_unauthorized_proc
# no-op
end
end
...@@ -3,23 +3,25 @@ ...@@ -3,23 +3,25 @@
module RoutableActions module RoutableActions
extend ActiveSupport::Concern extend ActiveSupport::Concern
def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil) def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil, not_found_or_authorized_proc: nil)
routable = routable_klass.find_by_full_path(requested_full_path, follow_redirects: request.get?) routable = routable_klass.find_by_full_path(requested_full_path, follow_redirects: request.get?)
if routable_authorized?(routable, extra_authorization_proc) if routable_authorized?(routable, extra_authorization_proc)
ensure_canonical_path(routable, requested_full_path) ensure_canonical_path(routable, requested_full_path)
routable routable
else else
handle_not_found_or_authorized(routable) if not_found_or_authorized_proc
not_found_or_authorized_proc.call(routable)
end
route_not_found unless performed?
nil nil
end end
end end
# This is overridden in gitlab-ee.
def handle_not_found_or_authorized(_routable)
route_not_found
end
def routable_authorized?(routable, extra_authorization_proc) def routable_authorized?(routable, extra_authorization_proc)
return false unless routable
action = :"read_#{routable.class.to_s.underscore}" action = :"read_#{routable.class.to_s.underscore}"
return false unless can?(current_user, action, routable) return false unless can?(current_user, action, routable)
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
class Projects::ApplicationController < ApplicationController class Projects::ApplicationController < ApplicationController
include CookiesHelper include CookiesHelper
include RoutableActions include RoutableActions
include ProjectUnauthorized
include ChecksCollaboration include ChecksCollaboration
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
...@@ -21,7 +22,7 @@ class Projects::ApplicationController < ApplicationController ...@@ -21,7 +22,7 @@ class Projects::ApplicationController < ApplicationController
path = File.join(params[:namespace_id], params[:project_id] || params[:id]) path = File.join(params[:namespace_id], params[:project_id] || params[:id])
auth_proc = ->(project) { !project.pending_delete? } auth_proc = ->(project) { !project.pending_delete? }
@project = find_routable!(Project, path, extra_authorization_proc: auth_proc) @project = find_routable!(Project, path, extra_authorization_proc: auth_proc, not_found_or_authorized_proc: project_unauthorized_proc)
end end
def build_canonical_path(project) def build_canonical_path(project)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment