diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-09 12:55:31 +0200 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-10 17:02:27 +0200 |
| commit | d801dd177483a8375f1656654ca3638c18550204 (patch) | |
| tree | 91dbc59dd7dfb437308e2d39238c024528268064 /app/policies | |
| parent | f7f13f9db0da92c7b43481dfe5559f317711e533 (diff) | |
| download | gitlab-ce-d801dd177483a8375f1656654ca3638c18550204.tar.gz | |
Allows `access_(git|api)` to anonymous users
The `access_git` and `access_api` were currently never checked for
anonymous users. And they would also be allowed access:
An anonymous user can clone and pull from a public repo
An anonymous user can request public information from the API
So the policy didn't actually reflect what we were enforcing.
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/global_policy.rb | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index e2736d3bb61..1cf5515d9d7 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -1,17 +1,17 @@ class GlobalPolicy < BasePolicy desc "User is blocked" with_options scope: :user, score: 0 - condition(:blocked) { @user.blocked? } + condition(:blocked) { @user&.blocked? } desc "User is an internal user" with_options scope: :user, score: 0 - condition(:internal) { @user.internal? } + condition(:internal) { @user&.internal? } desc "User's access has been locked" with_options scope: :user, score: 0 - condition(:access_locked) { @user.access_locked? } + condition(:access_locked) { @user&.access_locked? } - condition(:can_create_fork, scope: :user) { @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } } + condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } } condition(:required_terms_not_accepted, scope: :user, score: 0) do @user&.required_terms_not_accepted? @@ -19,8 +19,6 @@ class GlobalPolicy < BasePolicy rule { anonymous }.policy do prevent :log_in - prevent :access_api - prevent :access_git prevent :receive_notifications prevent :use_quick_actions prevent :create_group |