diff options
| author | Luke Duncalfe <lduncalfe@eml.cc> | 2019-05-23 16:33:11 +1200 |
|---|---|---|
| committer | Luke Duncalfe <lduncalfe@eml.cc> | 2019-06-11 08:21:04 +1200 |
| commit | ba377e91e1179b5b1124df1fcdda22c1b63e82a1 (patch) | |
| tree | 3b4d44618b710f02055374154119f4f3123bb2dd /app/controllers/projects/templates_controller.rb | |
| parent | e5dcd1101b027d35ca23123c0712a483629b9bf6 (diff) | |
| download | gitlab-ce-ba377e91e1179b5b1124df1fcdda22c1b63e82a1.tar.gz | |
Authorize access before serving project template
Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.
When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.
We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.
Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.
https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
Diffstat (limited to 'app/controllers/projects/templates_controller.rb')
| -rw-r--r-- | app/controllers/projects/templates_controller.rb | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/app/controllers/projects/templates_controller.rb b/app/controllers/projects/templates_controller.rb index 7ceea4e5b96..f987033a26c 100644 --- a/app/controllers/projects/templates_controller.rb +++ b/app/controllers/projects/templates_controller.rb @@ -1,7 +1,9 @@ # frozen_string_literal: true class Projects::TemplatesController < Projects::ApplicationController - before_action :authenticate_user!, :get_template_class + before_action :authenticate_user! + before_action :authorize_can_read_issuable! + before_action :get_template_class def show template = @template_type.find(params[:key], project) @@ -13,9 +15,20 @@ class Projects::TemplatesController < Projects::ApplicationController private + # User must have: + # - `read_merge_request` to see merge request templates, or + # - `read_issue` to see issue templates + # + # Note params[:template_type] has a route constraint to limit it to + # `merge_request` or `issue` + def authorize_can_read_issuable! + action = [:read_, params[:template_type]].join + + authorize_action!(action) + end + def get_template_class template_types = { issue: Gitlab::Template::IssueTemplate, merge_request: Gitlab::Template::MergeRequestTemplate }.with_indifferent_access @template_type = template_types[params[:template_type]] - render json: [], status: :not_found unless @template_type end end |