diff options
| author | Stan Hu <stanhu@gmail.com> | 2015-07-20 16:42:07 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2015-07-20 16:42:07 +0000 |
| commit | 996ad35bedca4b8975a6f65fcbf5dbdb75cae278 (patch) | |
| tree | 47c5bb13598455255a87ef782e23641368729e97 | |
| parent | 3522018db3b6bb9f799e9326e109c6897c4a285e (diff) | |
| parent | 4a0e4c857f799d2e3cc5d5dc37de6da784661965 (diff) | |
| download | gitlab-ce-996ad35bedca4b8975a6f65fcbf5dbdb75cae278.tar.gz | |
Merge branch 'fix-disabled-feature-access' into 'master'
Fix (i.e. prevent) access to disabled features for unauthenticated users
Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.
See merge request !1006
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/models/ability.rb | 54 |
2 files changed, 32 insertions, 23 deletions
diff --git a/CHANGELOG b/CHANGELOG index 799856c91fa..d249a014802 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.14.0 (unreleased) - Remove repository graph log to fix slow cache updates after push event (Stan Hu) - Fix label read access for unauthenticated users (Daniel Gerhardt) + - Fix access to disabled features for unauthenticated users (Daniel Gerhardt) - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu) - Fix file upload dialog for comment editing (Daniel Gerhardt) - Set OmniAuth full_host parameter to ensure redirect URIs are correct (Stan Hu) diff --git a/app/models/ability.rb b/app/models/ability.rb index 7dab50d47d4..9258d981ac9 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -31,7 +31,7 @@ class Ability end if project && project.public? - [ + rules = [ :read_project, :read_wiki, :read_issue, @@ -43,6 +43,8 @@ class Ability :read_note, :download_code ] + + rules - project_disabled_features_rules(project) else group = if subject.kind_of?(Group) subject @@ -103,28 +105,7 @@ class Ability rules -= project_archived_rules end - unless project.issues_enabled - rules -= named_abilities('issue') - end - - unless project.merge_requests_enabled - rules -= named_abilities('merge_request') - end - - unless project.issues_enabled or project.merge_requests_enabled - rules -= named_abilities('label') - rules -= named_abilities('milestone') - end - - unless project.snippets_enabled - rules -= named_abilities('project_snippet') - end - - unless project.wiki_enabled - rules -= named_abilities('wiki') - end - - rules + rules - project_disabled_features_rules(project) end end @@ -206,6 +187,33 @@ class Ability ] end + def project_disabled_features_rules(project) + rules = [] + + unless project.issues_enabled + rules += named_abilities('issue') + end + + unless project.merge_requests_enabled + rules += named_abilities('merge_request') + end + + unless project.issues_enabled or project.merge_requests_enabled + rules += named_abilities('label') + rules += named_abilities('milestone') + end + + unless project.snippets_enabled + rules += named_abilities('project_snippet') + end + + unless project.wiki_enabled + rules += named_abilities('wiki') + end + + rules + end + def group_abilities(user, group) rules = [] |