diff options
| author | Grzegorz Bizon <grzegorz@gitlab.com> | 2019-02-12 12:18:17 +0000 |
|---|---|---|
| committer | Grzegorz Bizon <grzegorz@gitlab.com> | 2019-02-12 12:18:17 +0000 |
| commit | 633e9f3175b25bb3ac39bc08ef1d4da56db643a5 (patch) | |
| tree | b16a23dbf46a32b2fd1597cb1796963ff171b15a | |
| parent | a68ff6d61dfff945ae991ed7f8524e3ba741e56e (diff) | |
| parent | 13d2d1985c5346beab95e6a77706194f9f007a05 (diff) | |
| download | gitlab-ce-633e9f3175b25bb3ac39bc08ef1d4da56db643a5.tar.gz | |
Merge branch '54850-pages-domain-show-view-is-not-protected-by-access-control' into 'master'
Fix access to pages domain settings
Closes #54850
See merge request gitlab-org/gitlab-ce!24926
3 files changed, 22 insertions, 2 deletions
diff --git a/app/controllers/projects/pages_domains_controller.rb b/app/controllers/projects/pages_domains_controller.rb index 439ec9b1731..58b1bc54181 100644 --- a/app/controllers/projects/pages_domains_controller.rb +++ b/app/controllers/projects/pages_domains_controller.rb @@ -4,7 +4,7 @@ class Projects::PagesDomainsController < Projects::ApplicationController layout 'project_settings' before_action :require_pages_enabled! - before_action :authorize_update_pages!, except: [:show] + before_action :authorize_update_pages! before_action :domain, except: [:new, :create] def show diff --git a/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml b/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml new file mode 100644 index 00000000000..41761213d7b --- /dev/null +++ b/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml @@ -0,0 +1,5 @@ +--- +title: Require maintainer access to show pages domain settings +merge_request: 24926 +author: +type: fixed diff --git a/spec/controllers/projects/pages_domains_controller_spec.rb b/spec/controllers/projects/pages_domains_controller_spec.rb index 8b7f7587701..ffb9867a203 100644 --- a/spec/controllers/projects/pages_domains_controller_spec.rb +++ b/spec/controllers/projects/pages_domains_controller_spec.rb @@ -23,12 +23,27 @@ describe Projects::PagesDomainsController do end describe 'GET show' do - it "displays the 'show' page" do + def make_request get(:show, params: request_params.merge(id: pages_domain.domain)) + end + it "displays the 'show' page" do + make_request expect(response).to have_gitlab_http_status(200) expect(response).to render_template('show') end + + context 'when user is developer' do + before do + project.add_developer(user) + end + + it 'renders 404 page' do + make_request + + expect(response).to have_gitlab_http_status(404) + end + end end describe 'GET new' do |