Fix global anonymous searches restriction

de1fc6f1 · Dmitry Gruzd · Mark Chao · 6adff1dd · de1fc6f1 · de1fc6f1
Commit de1fc6f1 authored Dec 06, 2021 by Dmitry Gruzd Committed by Mark Chao Dec 06, 2021
3 changed files
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -150,7 +150,7 @@ class SearchController < ApplicationController
  end

  def block_anonymous_global_searches
-    return if params[:project_id].present? || params[:group_id].present?
+    return unless search_service.global_search?
    return if current_user
    return unless ::Feature.enabled?(:block_anonymous_global_searches, type: :ops)

@@ -160,7 +160,7 @@ class SearchController < ApplicationController
  end

  def check_scope_global_search_enabled
-    return if params[:project_id].present? || params[:group_id].present?
+    return unless search_service.global_search?

    search_allowed = case params[:scope]
                     when 'blobs'

--- a/app/services/search_service.rb
+++ b/app/services/search_service.rb
@@ -45,6 +45,10 @@ class SearchService
    # overridden in EE
  end

+  def global_search?
+    project.blank? && group.blank?
+  end
+
  def show_snippets?
    return @show_snippets if defined?(@show_snippets)


--- a/spec/controllers/search_controller_spec.rb
+++ b/spec/controllers/search_controller_spec.rb
@@ -172,6 +172,12 @@ RSpec.describe SearchController do

              expect(response).to redirect_to new_user_session_path
            end
+
+            it 'redirects to login page when trying to circumvent the restriction' do
+              get :show, params: { scope: 'projects', project_id: non_existing_record_id, search: '*' }
+
+              expect(response).to redirect_to new_user_session_path
+            end
          end

          context 'for authenticated user' do