Fix access to disabled features for unauthenticated users

Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.

2 files changed, 32 insertions, 23 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 9fe1e8c90c7..cc39373fd44 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.14.0 (unreleased)
+  - Fix access to disabled features for unauthenticated users (Daniel Gerhardt)
   - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
   - Fix file upload dialog for comment editing (Daniel Gerhardt)
   - Expire Rails cache entries after two weeks to prevent endless Redis growth
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d3631d49ec6..6cffc46cec3 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -31,7 +31,7 @@ class Ability
                 end
 
       if project && project.public?
-        [
+        rules = [
           :read_project,
           :read_wiki,
           :read_issue,
@@ -42,6 +42,8 @@ class Ability
           :read_note,
           :download_code
         ]
+
+        rules - project_disabled_features_rules(project)
       else
         group = if subject.kind_of?(Group)
                   subject
@@ -102,28 +104,7 @@ class Ability
           rules -= project_archived_rules
         end
 
-        unless project.issues_enabled
-          rules -= named_abilities('issue')
-        end
-
-        unless project.merge_requests_enabled
-          rules -= named_abilities('merge_request')
-        end
-
-        unless project.issues_enabled or project.merge_requests_enabled
-          rules -= named_abilities('label')
-          rules -= named_abilities('milestone')
-        end
-
-        unless project.snippets_enabled
-          rules -= named_abilities('project_snippet')
-        end
-
-        unless project.wiki_enabled
-          rules -= named_abilities('wiki')
-        end
-
-        rules
+        rules - project_disabled_features_rules(project)
       end
     end
 
@@ -205,6 +186,33 @@ class Ability
       ]
     end
 
+    def project_disabled_features_rules(project)
+      rules = []
+
+      unless project.issues_enabled
+        rules += named_abilities('issue')
+      end
+
+      unless project.merge_requests_enabled
+        rules += named_abilities('merge_request')
+      end
+
+      unless project.issues_enabled or project.merge_requests_enabled
+        rules += named_abilities('label')
+        rules += named_abilities('milestone')
+      end
+
+      unless project.snippets_enabled
+        rules += named_abilities('project_snippet')
+      end
+
+      unless project.wiki_enabled
+        rules += named_abilities('wiki')
+      end
+
+      rules
+    end
+
     def group_abilities(user, group)
       rules = []