Fix label read access for unauthenticated users

The label page was added to navigation for unauthorized users because
the previously used milestone read permission was still checked. This
has been fixed and read access to labels is now granted (again) for
public projects.

This regression has been introduced in
07efb17e10fe26a01b60d8441868f9fbda0768f2 (7.12).

See also 9bcd36396b9b71467f66dd4ed79ab709bb5d027a.

Refs !836, !842.

3 files changed, 7 insertions, 1 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 9fe1e8c90c7..b1d079ef207 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.14.0 (unreleased)
+  - Fix label read access for unauthenticated users (Daniel Gerhardt)
   - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
   - Fix file upload dialog for comment editing (Daniel Gerhardt)
   - Expire Rails cache entries after two weeks to prevent endless Redis growth
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index f61baf00525..3cd52b381bd 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -131,8 +131,12 @@ module ProjectsHelper
       nav_tabs << :snippets
     end
 
+    if can?(current_user, :read_label, project)
+      nav_tabs << :labels
+    end
+
     if can?(current_user, :read_milestone, project)
-      nav_tabs << [:milestones, :labels]
+      nav_tabs << :milestones
     end
 
     nav_tabs.flatten
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d3631d49ec6..7dab50d47d4 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -35,6 +35,7 @@ class Ability
           :read_project,
           :read_wiki,
           :read_issue,
+          :read_label,
           :read_milestone,
           :read_project_snippet,
           :read_project_member,