Commit 362e4a6e authored by James Fargher's avatar James Fargher

Merge branch '352291-add-actors-to-enforce_auth_checks_on_uploads-ff' into 'master'

Add actor to enforce_auth_checks_on_uploads FF

See merge request gitlab-org/gitlab!81460
parents e1a3922b b492a8d2
......@@ -143,7 +143,7 @@ module UploadsActions
end
def bypass_auth_checks_on_uploads?
if ::Feature.enabled?(:enforce_auth_checks_on_uploads, default_enabled: :yaml)
if ::Feature.enabled?(:enforce_auth_checks_on_uploads, project, default_enabled: :yaml)
false
else
action_name == 'show' && embeddable?
......
......@@ -4,7 +4,7 @@ class Groups::UploadsController < Groups::ApplicationController
include UploadsActions
include WorkhorseRequest
skip_before_action :group, if: -> { bypass_auth_checks_on_uploads? }
skip_before_action :group, if: -> { action_name == 'show' && embeddable? }
before_action :authorize_upload_file!, only: [:create, :authorize]
before_action :verify_workhorse_api!, only: [:authorize]
......
......@@ -211,10 +211,22 @@ RSpec.shared_examples 'handle uploads' do
stub_feature_flags(enforce_auth_checks_on_uploads: true)
end
it "responds with status 302" do
it "responds with appropriate status" do
show_upload
expect(response).to have_gitlab_http_status(:redirect)
# We're switching here based on the class due to the feature
# flag :enforce_auth_checks_on_uploads switching on project.
# When it is enabled fully, we will apply the code it guards
# to both Projects::UploadsController as well as
# Groups::UploadsController.
#
# https://gitlab.com/gitlab-org/gitlab/-/issues/352291
#
if model.instance_of?(Group)
expect(response).to have_gitlab_http_status(:ok)
else
expect(response).to have_gitlab_http_status(:redirect)
end
end
end
......@@ -305,7 +317,19 @@ RSpec.shared_examples 'handle uploads' do
it "responds with status 404" do
show_upload
expect(response).to have_gitlab_http_status(:not_found)
# We're switching here based on the class due to the feature
# flag :enforce_auth_checks_on_uploads switching on
# project. When it is enabled fully, we will apply the
# code it guards to both Projects::UploadsController as
# well as Groups::UploadsController.
#
# https://gitlab.com/gitlab-org/gitlab/-/issues/352291
#
if model.instance_of?(Group)
expect(response).to have_gitlab_http_status(:ok)
else
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment