Merge branch 'docs/pages-access-control' into 'master'

Add user docs for Pages access control

Closes #54143

See merge request gitlab-org/gitlab-ce!23145

5 files changed, 58 insertions, 11 deletions

diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index d8345f2d6bd..cbd3032bd4e 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -244,8 +244,9 @@ This setting is enabled by default.
 
 ### Access control
 
-Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
-in GitLab 11.5. It can be configured per-project, and allows access to a Pages
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+GitLab Pages access control can be configured per-project, and allows access to a Pages
 site to be controlled based on a user's membership to that project.
 
 Access control works by registering the Pages daemon as an OAuth application
@@ -259,15 +260,16 @@ Each request to view a resource in a private site is authenticated by Pages
 using that token. For each request it receives, it makes a request to the GitLab
 API to check that the user is authorized to read that site.
 
-Pages access control is currently disabled by default. To enable it, you must:
+Pages access control is disabled by default. To enable it:
 
-1. Enable it in `/etc/gitlab/gitlab.rb`
+1. Enable it in `/etc/gitlab/gitlab.rb`:
 
     ```ruby
     gitlab_pages['access_control'] = true
     ```
 
-1. [Reconfigure GitLab][reconfigure]
+1. [Reconfigure GitLab][reconfigure].
+1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
 
 ## Activate verbose logging for daemon
 
diff --git a/doc/administration/pages/source.md b/doc/administration/pages/source.md
index ddff54be575..9f2b4d9075a 100644
--- a/doc/administration/pages/source.md
+++ b/doc/administration/pages/source.md
@@ -393,8 +393,9 @@ server_name ~^.*\.pages\.example\.io$;
 
 ## Access control
 
-Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
-in GitLab 11.5. It can be configured per-project, and allows access to a Pages
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+GitLab Pages access control can be configured per-project, and allows access to a Pages
 site to be controlled based on a user's membership to that project.
 
 Access control works by registering the Pages daemon as an OAuth application
@@ -408,15 +409,17 @@ Each request to view a resource in a private site is authenticated by Pages
 using that token. For each request it receives, it makes a request to the GitLab
 API to check that the user is authorized to read that site.
 
-Pages access control is currently disabled by default. To enable it, you must:
+Pages access control is disabled by default. To enable it:
 
 1. Modify your `config/gitlab.yml` file:
+
     ```yaml
     pages:
       access_control: true
     ```
-1. [Restart GitLab][restart]
-1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile)
+
+1. [Restart GitLab][restart].
+1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile).
    This should be called `GitLab Pages` and have a `Redirect URL` of
    `https://projects.example.io/auth`. It does not need to be a "trusted"
    application, but it does need the "api" scope.
@@ -429,6 +432,8 @@ Pages access control is currently disabled by default. To enable it, you must:
       -auth-server <URL of the GitLab instance>
     ```
 
+1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
+
 ## Change storage path
 
 Follow the steps below to change the default path where GitLab Pages' contents
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 1fd230a41aa..c4a2d5f66e5 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -95,7 +95,7 @@ The following table depicts the various user permission levels in a project.
 | Manage GitLab Pages                   |         |            |             | ✓        | ✓      |
 | Manage GitLab Pages domains and certificates |         |            |             | ✓        | ✓      |
 | Remove GitLab Pages                   |         |            |             |          | ✓      |
-| View GitLab Pages protected by [access control](../administration/pages/index.md#access-control) | ✓       | ✓          | ✓           | ✓        | ✓      |
+| View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core-only) | ✓       | ✓          | ✓           | ✓        | ✓      |
 | Manage clusters                       |         |            |             | ✓        | ✓      |
 | Manage license policy **[ULTIMATE]**  |         |            |             | ✓        | ✓      |
 | Edit comments (posted by any user)    |         |            |             | ✓        | ✓      |
diff --git a/doc/user/project/pages/introduction.md b/doc/user/project/pages/introduction.md
index fe4d15adfa1..9f9b64ec20d 100644
--- a/doc/user/project/pages/introduction.md
+++ b/doc/user/project/pages/introduction.md
@@ -441,6 +441,46 @@ The rest of the guide still applies.
 
 See also: [GitLab Pages from A to Z: Part 1 - Static sites and GitLab Pages domains](getting_started_part_one.md#gitlab-pages-domain).
 
+## GitLab Pages access control **[CORE ONLY]**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+NOTE: **Note:**
+GitLab Pages access control is not activated on GitLab.com.
+
+You can enable Pages access control on your project, so that only
+[members of your project](../../permissions.md#project-members-permissions)
+(at least Guest) can access your website:
+
+1. Navigate to your project's **Settings > General > Permissions**.
+1. Toggle the **Pages** button to enable the access control.
+
+    NOTE: **Note:**
+    If you don't see the toggle button, that means that it's not enabled.
+    Ask your administrator to [enable it](../../../administration/pages/index.md#access-control).
+
+1. The Pages access control dropdown allows you to set who can view pages hosted
+   with GitLab Pages, depending on your project's visibility:
+
+    - If your project is private:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+    - If your project is internal:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone with access**: Everyone logged into GitLab will be able to browse the website, no matter their project membership.
+      - **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+    - If your project is public:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone with access**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+
+1. Click **Save changes**.
+
+---
+
+The next time someone tries to access your website and the access control is
+enabled, they will be presented with a page to sign into GitLab and verify they
+can access the website.
+
 ## Limitations
 
 When using Pages under the general domain of a GitLab instance (`*.example.io`),
diff --git a/doc/user/project/settings/img/sharing_and_permissions_settings.png b/doc/user/project/settings/img/sharing_and_permissions_settings.png
index f5e3e32f95c..6cb89c6ea1d 100644
--- a/doc/user/project/settings/img/sharing_and_permissions_settings.png
+++ b/doc/user/project/settings/img/sharing_and_permissions_settings.png