diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-04-27 16:48:08 +0200 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-04-27 17:01:04 +0200 |
commit | 725a5ce9ca49fe55e7822502243f142567ac0478 (patch) | |
tree | 8d5c8cc40a0d54c1bb48ea53d405259d2c2d7074 | |
parent | 4c91ea317b103e314ed0b113651114f79f500a39 (diff) | |
download | gitlab-ce-bvl-access-web-permission.tar.gz |
Add permission to block access to the web appbvl-access-web-permission
Similar to the permission we use for API access or git access.
-rw-r--r-- | app/controllers/application_controller.rb | 7 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 4 | ||||
-rw-r--r-- | spec/controllers/application_controller_spec.rb | 28 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 14 |
4 files changed, 52 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0fdd4d2cb47..f288eb8c59f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base before_action :authenticate_sessionless_user! before_action :authenticate_user! + before_action :authorize_access_web! before_action :validate_user_service_ticket! before_action :check_password_expiration before_action :ldap_security_check @@ -268,6 +269,12 @@ class ApplicationController < ActionController::Base end end + def authorize_access_web! + unless can?(current_user, :access_web) + render_403 + end + end + def import_sources_enabled? !Gitlab::CurrentSettings.import_sources.empty? end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 64e550d19d0..72ef0888438 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -26,14 +26,16 @@ class GlobalPolicy < BasePolicy enable :log_in enable :access_api enable :access_git + enable :access_web enable :receive_notifications enable :use_quick_actions end - rule { blocked | internal }.policy do + rule { ~anonymous & (blocked | internal) }.policy do prevent :log_in prevent :access_api prevent :access_git + prevent :access_web prevent :receive_notifications prevent :use_quick_actions end diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index fe95d1ef9cd..eacf2d7a589 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -406,4 +406,32 @@ describe ApplicationController do end end end + + context 'access to the web application' do + controller(described_class) do + def index + render nothing: true + end + end + + before do + sign_in(user) + end + + it 'renders 200 when the user has access' do + expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { true } + + get :index + + expect(response).to have_gitlab_http_status(:success) + end + + it 'renders 403 when the user does not have access' do + expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { false } + + get :index + + expect(response).to have_gitlab_http_status(:forbidden) + end + end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 5b8cf2e6ab5..31cda8722d6 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -88,4 +88,18 @@ describe GlobalPolicy do it { is_expected.to be_allowed(:update_custom_attribute) } end end + + describe 'accessing the web application' do + context 'anonymous users' do + let(:current_user) { nil } + + it { is_expected.to be_allowed(:access_web) } + end + + context 'blocked users' do + let(:current_user) { create(:user, :blocked) } + + it { is_expected.not_to be_allowed(:access_web) } + end + end end |