Fix access to disabled features for unauthenticated users

Unauthenticated users had access to disabled features of public projects. The code has been slightly refactored so that feature checks are done in a separate method and can also be applied for public access.
author: Daniel Gerhardt <code@dgerhardt.net> 2015-07-19 23:21:33 +0200
committer: Daniel Gerhardt <code@dgerhardt.net> 2015-07-20 09:45:24 +0200
commit: 4a0e4c857f799d2e3cc5d5dc37de6da784661965 (patch)
tree: 2eae7ce1f3bcbb242a5a8d08a6728b7b1d2b1f5a /app/models
parent: e8aaf5680355b2a71ab85439f653a70f4b487e0b (diff)
download: gitlab-ce-4a0e4c857f799d2e3cc5d5dc37de6da784661965.tar.gz
1 files changed, 31 insertions, 23 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d3631d49ec6..6cffc46cec3 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -31,7 +31,7 @@ class Ability
                 end
 
       if project && project.public?
-        [
+        rules = [
           :read_project,
           :read_wiki,
           :read_issue,
@@ -42,6 +42,8 @@ class Ability
           :read_note,
           :download_code
         ]
+
+        rules - project_disabled_features_rules(project)
       else
         group = if subject.kind_of?(Group)
                   subject
@@ -102,28 +104,7 @@ class Ability
           rules -= project_archived_rules
         end
 
-        unless project.issues_enabled
-          rules -= named_abilities('issue')
-        end
-
-        unless project.merge_requests_enabled
-          rules -= named_abilities('merge_request')
-        end
-
-        unless project.issues_enabled or project.merge_requests_enabled
-          rules -= named_abilities('label')
-          rules -= named_abilities('milestone')
-        end
-
-        unless project.snippets_enabled
-          rules -= named_abilities('project_snippet')
-        end
-
-        unless project.wiki_enabled
-          rules -= named_abilities('wiki')
-        end
-
-        rules
+        rules - project_disabled_features_rules(project)
       end
     end
 
@@ -205,6 +186,33 @@ class Ability
       ]
     end
 
+    def project_disabled_features_rules(project)
+      rules = []
+
+      unless project.issues_enabled
+        rules += named_abilities('issue')
+      end
+
+      unless project.merge_requests_enabled
+        rules += named_abilities('merge_request')
+      end
+
+      unless project.issues_enabled or project.merge_requests_enabled
+        rules += named_abilities('label')
+        rules += named_abilities('milestone')
+      end
+
+      unless project.snippets_enabled
+        rules += named_abilities('project_snippet')
+      end
+
+      unless project.wiki_enabled
+        rules += named_abilities('wiki')
+      end
+
+      rules
+    end
+
     def group_abilities(user, group)
       rules = []
author	Daniel Gerhardt <code@dgerhardt.net>	2015-07-19 23:21:33 +0200
committer	Daniel Gerhardt <code@dgerhardt.net>	2015-07-20 09:45:24 +0200
commit	4a0e4c857f799d2e3cc5d5dc37de6da784661965 (patch)
tree	2eae7ce1f3bcbb242a5a8d08a6728b7b1d2b1f5a /app/models
parent	e8aaf5680355b2a71ab85439f653a70f4b487e0b (diff)
download	gitlab-ce-4a0e4c857f799d2e3cc5d5dc37de6da784661965.tar.gz