Merge branch 'fix-unauthenticated-label-access' into 'master'

Fix label read access for unauthenticated users

The label page was added to navigation for unauthorized users because
the previously used milestone read permission was still checked. This
has been fixed and read access to labels is now granted (again) for
public projects.

This regression has been introduced in
07efb17e (7.12).

See also 9bcd3639.

Refs !836, !842.

See merge request !1000

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.14.0 (unreleased)
+  - Fix label read access for unauthenticated users (Daniel Gerhardt)
   - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
   - Fix file upload dialog for comment editing (Daniel Gerhardt)
   - Expire Rails cache entries after two weeks to prevent endless Redis growth

app/helpers/projects_helper.rb

@@ -131,8 +131,12 @@ module ProjectsHelper
       nav_tabs << :snippets
     end
 
+    if can?(current_user, :read_label, project)
+      nav_tabs << :labels
+    end
+
     if can?(current_user, :read_milestone, project)
-      nav_tabs << [:milestones, :labels]
+      nav_tabs << :milestones
     end
 
     nav_tabs.flatten

app/models/ability.rb

@@ -35,6 +35,7 @@ class Ability
           :read_project,
           :read_wiki,
           :read_issue,
+          :read_label,
           :read_milestone,
           :read_project_snippet,
           :read_project_member,