Add permission to block access to the web appbvl-access-web-permission

Similar to the permission we use for API access or git access.

4 files changed, 52 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0fdd4d2cb47..f288eb8c59f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base
 
   before_action :authenticate_sessionless_user!
   before_action :authenticate_user!
+  before_action :authorize_access_web!
   before_action :validate_user_service_ticket!
   before_action :check_password_expiration
   before_action :ldap_security_check
@@ -268,6 +269,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def authorize_access_web!
+    unless can?(current_user, :access_web)
+      render_403
+    end
+  end
+
   def import_sources_enabled?
     !Gitlab::CurrentSettings.import_sources.empty?
   end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 64e550d19d0..72ef0888438 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -26,14 +26,16 @@ class GlobalPolicy < BasePolicy
     enable :log_in
     enable :access_api
     enable :access_git
+    enable :access_web
     enable :receive_notifications
     enable :use_quick_actions
   end
 
-  rule { blocked | internal }.policy do
+  rule { ~anonymous & (blocked | internal) }.policy do
     prevent :log_in
     prevent :access_api
     prevent :access_git
+    prevent :access_web
     prevent :receive_notifications
     prevent :use_quick_actions
   end
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index fe95d1ef9cd..eacf2d7a589 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -406,4 +406,32 @@ describe ApplicationController do
       end
     end
   end
+
+  context 'access to the web application' do
+    controller(described_class) do
+      def index
+        render nothing: true
+      end
+    end
+
+    before do
+      sign_in(user)
+    end
+
+    it 'renders 200 when the user has access' do
+      expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { true }
+
+      get :index
+
+      expect(response).to have_gitlab_http_status(:success)
+    end
+
+    it 'renders 403 when the user does not have access' do
+      expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { false }
+
+      get :index
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
 end
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 5b8cf2e6ab5..31cda8722d6 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -88,4 +88,18 @@ describe GlobalPolicy do
       it { is_expected.to be_allowed(:update_custom_attribute) }
     end
   end
+
+  describe 'accessing the web application' do
+    context 'anonymous users' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_allowed(:access_web) }
+    end
+
+    context 'blocked users' do
+      let(:current_user) { create(:user, :blocked) }
+
+      it { is_expected.not_to be_allowed(:access_web) }
+    end
+  end
 end