Restrict access when restricted visibility level is public

Some organizations prefer to have all Gitlab related data private
but it is currently possible for non-authenticated users to access
certain pages e.g /public and /explore

This change makes it possible to restrict access by
checking if `public` is included in the restricted visibility
level setting.

* require authentication for /explore, /help, and /public for non-authenticated users.
* remove the Explore link from the sign in page.
* redirect an unauthenticated user attempting to access /help to https://docs.gitlab.com/.

app/controllers/application_controller.rb

@@ -496,6 +496,10 @@ class ApplicationController < ActionController::Base
     html_request? && !devise_controller?
   end
 
+  def public_visibility_restricted?
+    Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
+  end
+
   def set_usage_stats_consent_flag
     return unless current_user
     return if sessionless_user?

app/controllers/explore/application_controller.rb

 # frozen_string_literal: true
 
 class Explore::ApplicationController < ApplicationController
-  skip_before_action :authenticate_user!
+  skip_before_action :authenticate_user!, unless: :public_visibility_restricted?
 
   layout 'explore'
 end

app/controllers/help_controller.rb

 # frozen_string_literal: true
 
 class HelpController < ApplicationController
-  skip_before_action :authenticate_user!
+  skip_before_action :authenticate_user!, unless: :public_visibility_restricted?
 
   layout 'help'
 

app/helpers/explore_helper.rb

@@ -51,6 +51,10 @@ module ExploreHelper
     links.any? { |link| explore_nav_link?(link) }
   end
 
+  def public_visibility_restricted?
+    Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
+  end
+
   private
 
   def get_explore_nav_links

app/views/layouts/devise.html.haml

@@ -38,7 +38,9 @@
       %hr.footer-fixed
       .container.footer-container
         .footer-links
-          = link_to _("Explore"), explore_root_path
-          = link_to _("Help"), help_path
+          - if !public_visibility_restricted?
+            = link_to _("Explore"), explore_root_path
+            = link_to _("Help"), help_path
           = link_to _("About GitLab"), "https://about.gitlab.com/"
+
       = footer_message

app/views/layouts/devise_empty.html.haml

@@ -14,7 +14,8 @@
     %hr
     .container
       .footer-links
-        = link_to _("Explore"), explore_root_path
-        = link_to _("Help"), help_path
+        - if !public_visibility_restricted?
+          = link_to _("Explore"), explore_root_path
+          = link_to _("Help"), help_path
         = link_to _("About GitLab"), "https://about.gitlab.com/"
     = footer_message

doc/install/aws/index.md

@@ -205,7 +205,7 @@ On the EC2 dashboard, look for Load Balancer in the left navigation bar:
 1. Click **Configure Health Check** and set up a health check for your EC2 instances.
    1. For **Ping Protocol**, select HTTP.
    1. For **Ping Port**, enter 80.
-   1. For **Ping Path**, enter `/explore`. (We use `/explore` as it's a public endpoint that does
+   1. For **Ping Path**, enter `/users/sign_in`. (We use `/users/sign_in` as it's a public endpoint that does
    not require authorization.)
    1. Keep the default **Advanced Details** or adjust them according to your needs.
 1. Click **Add EC2 Instances** but, as we don't have any instances to add yet, come back

doc/public_access/public_access.md

@@ -69,6 +69,16 @@ you are privileged to.
 
 If the public level is restricted, user profiles are only visible to logged in users.
 
+## Visibility of pages
+
+By default, the following directories are visible to unauthenticated users:
+
+- Public access (`/public`).
+- Explore (`/explore`).
+- Help (`/help`).
+
+However, if the access level of the `/public` directory is restricted, these directories are visible only to logged in users.
+
 ## Restricting the use of public or internal projects
 
 You can restrict the use of visibility levels for users when they create a project or a

doc/user/admin_area/settings/visibility_and_access_controls.md

@@ -91,7 +91,7 @@ For more details on group visibility, see [Public access](../../../public_access
 
 ## Restricted visibility levels
 
-To set the available visibility levels for new projects and snippets:
+To set the available visibility levels for projects, snippets, and selected pages:
 
 1. Check the desired visibility levels.
 1. Click **Save changes**.

ee/changelogs/unreleased/18165-add-access-control-for-restricted-public-level.yml

+---
+title: Restrict page access when restricted level is public
+merge_request: 22522
+author: briankabiro
+type: added

ee/spec/features/users/login_spec.rb

@@ -186,4 +186,35 @@ describe 'Login' do
       end
     end
   end
+
+  describe 'restricted visibility levels' do
+    context 'contains public level' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'hides Explore link' do
+        visit new_user_session_path
+
+        expect(page).to have_no_link("Explore")
+      end
+
+      it 'hides help link' do
+        visit new_user_session_path
+
+        expect(page).to have_no_link("Help")
+      end
+    end
+
+    context 'does not contain public level' do
+      it 'displays Explore and Help links' do
+        visit new_user_session_path
+
+        href = find_link("Help")[:href]
+
+        expect(href).to eq("/help")
+        expect(page).to have_link("Explore")
+      end
+    end
+  end
 end

ee/spec/features/users/signup_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Signup' do
+  context 'almost there page' do
+    context 'when public visibility is restricted' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'hides Explore link' do
+        visit users_almost_there_path
+
+        expect(page).to have_no_link("Explore")
+      end
+
+      it 'hides help link' do
+        visit users_almost_there_path
+
+        expect(page).to have_no_link("Help")
+      end
+    end
+  end
+end

spec/controllers/explore/groups_controller_spec.rb

@@ -22,4 +22,18 @@ describe Explore::GroupsController do
 
     expect(assigns(:groups)).to contain_exactly(member_of_group, public_group)
   end
+
+  context 'restricted visibility level is public' do
+    before do
+      sign_out(user)
+
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+    end
+
+    it 'redirects to login page' do
+      get :index
+
+      expect(response).to redirect_to new_user_session_path
+    end
+  end
 end

spec/controllers/explore/projects_controller_spec.rb

@@ -171,5 +171,17 @@ describe Explore::ProjectsController do
         get :index, params: { sort: sorting_param }
       end
     end
+
+    context 'restricted visibility level is public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to login page' do
+        get :index
+
+        expect(response).to redirect_to new_user_session_path
+      end
+    end
   end
 end

spec/controllers/help_controller_spec.rb

@@ -79,6 +79,20 @@ describe HelpController do
         expect(assigns[:help_index]).to eq '[protocol-relative](//example.com)'
       end
     end
+
+    context 'restricted visibility set to public' do
+      before do
+        sign_out(user)
+
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to sign_in path' do
+        get :index
+
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
   end
 
   describe 'GET #show' do

spec/features/explore/groups_spec.rb

@@ -89,5 +89,17 @@ describe 'Explore Groups', :js do
     end
 
     it_behaves_like 'renders group in public groups area'
+
+    context 'when visibility is restricted to public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to the sign in page' do
+        visit explore_groups_path
+
+        expect(page).to have_current_path(new_user_session_path)
+      end
+    end
   end
 end

spec/features/explore/user_explores_projects_spec.rb

@@ -16,6 +16,17 @@ describe 'User explores projects' do
 
       include_examples 'shows public projects'
     end
+
+    context 'when visibility is restricted to public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+        visit(explore_projects_path)
+      end
+
+      it 'redirects to login page' do
+        expect(page).to have_current_path(new_user_session_path)
+      end
+    end
   end
 
   context 'when signed in' do