diff options
author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-06-18 12:50:31 +0000 |
---|---|---|
committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-06-18 12:50:31 +0000 |
commit | d8d8fe76327eb3b7c92484fc2fff03cc28b23fc7 (patch) | |
tree | b97638fd27911c64fa418d29fab4976a535a7096 | |
parent | 71559a5fb463d585effb2eaee7f05520c18cf085 (diff) | |
parent | b8fd21f91ab87610fac60004e99f8cff5468ae1f (diff) | |
download | gitlab-ce-d8d8fe76327eb3b7c92484fc2fff03cc28b23fc7.tar.gz |
Merge branch 'labels-permission-fix-7-12' into '7-12-stable'
Fix 403 Access Denied error messages when accessing Labels section in a project
This occurs when MRs are enabled but issues are enabled
Closes #1813
See merge request !842
-rw-r--r-- | app/controllers/application_controller.rb | 7 | ||||
-rw-r--r-- | app/controllers/projects/labels_controller.rb | 2 | ||||
-rw-r--r-- | app/models/ability.rb | 1 | ||||
-rw-r--r-- | spec/controllers/application_controller_spec.rb | 40 |
4 files changed, 43 insertions, 7 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 62d46a5482e..a657d3c54ee 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base end def after_sign_out_path_for(resource) - current_application_settings.after_sign_out_path || new_user_session_path + current_application_settings.after_sign_out_path || new_user_session_path end def abilities @@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base return access_denied! unless can?(current_user, action, project) end - def authorize_labels! - # Labels should be accessible for issues and/or merge requests - authorize_read_issue! || authorize_read_merge_request! - end - def access_denied! render "errors/access_denied", layout: "errors", status: 404 end diff --git a/app/controllers/projects/labels_controller.rb b/app/controllers/projects/labels_controller.rb index 2f8cb203cf9..86d6e3e0f6b 100644 --- a/app/controllers/projects/labels_controller.rb +++ b/app/controllers/projects/labels_controller.rb @@ -1,7 +1,7 @@ class Projects::LabelsController < Projects::ApplicationController before_action :module_enabled before_action :label, only: [:edit, :update, :destroy] - before_action :authorize_labels! + before_action :authorize_read_label! before_action :authorize_admin_labels!, except: [:index] respond_to :js, :html diff --git a/app/models/ability.rb b/app/models/ability.rb index 4e6c60dc8ca..bcd2adee00b 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -138,6 +138,7 @@ class Ability :read_project, :read_wiki, :read_issue, + :read_label, :read_milestone, :read_project_snippet, :read_project_member, diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 186239d3096..55851befc8c 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -30,4 +30,44 @@ describe ApplicationController do controller.send(:check_password_expiration) end end + + describe 'check labels authorization' do + let(:project) { create(:project) } + let(:user) { create(:user) } + let(:controller) { ApplicationController.new } + + before do + project.team << [user, :guest] + allow(controller).to receive(:current_user).and_return(user) + allow(controller).to receive(:project).and_return(project) + end + + it 'should succeed if issues and MRs are enabled' do + project.issues_enabled = true + project.merge_requests_enabled = true + controller.send(:authorize_read_label!) + expect(response.status).to eq(200) + end + + it 'should succeed if issues are enabled, MRs are disabled' do + project.issues_enabled = true + project.merge_requests_enabled = false + controller.send(:authorize_read_label!) + expect(response.status).to eq(200) + end + + it 'should succeed if issues are disabled, MRs are enabled' do + project.issues_enabled = false + project.merge_requests_enabled = true + controller.send(:authorize_read_label!) + expect(response.status).to eq(200) + end + + it 'should fail if issues and MRs are disabled' do + project.issues_enabled = false + project.merge_requests_enabled = false + expect(controller).to receive(:access_denied!) + controller.send(:authorize_read_label!) + end + end end |