summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorBob Van Landuyt <bob@vanlanduyt.co>2018-05-09 12:55:31 +0200
committerBob Van Landuyt <bob@vanlanduyt.co>2018-05-10 17:02:27 +0200
commitd801dd177483a8375f1656654ca3638c18550204 (patch)
tree91dbc59dd7dfb437308e2d39238c024528268064 /app/policies
parentf7f13f9db0da92c7b43481dfe5559f317711e533 (diff)
downloadgitlab-ce-d801dd177483a8375f1656654ca3638c18550204.tar.gz
Allows `access_(git|api)` to anonymous users
The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing.
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/global_policy.rb10
1 files changed, 4 insertions, 6 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index e2736d3bb61..1cf5515d9d7 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -1,17 +1,17 @@
class GlobalPolicy < BasePolicy
desc "User is blocked"
with_options scope: :user, score: 0
- condition(:blocked) { @user.blocked? }
+ condition(:blocked) { @user&.blocked? }
desc "User is an internal user"
with_options scope: :user, score: 0
- condition(:internal) { @user.internal? }
+ condition(:internal) { @user&.internal? }
desc "User's access has been locked"
with_options scope: :user, score: 0
- condition(:access_locked) { @user.access_locked? }
+ condition(:access_locked) { @user&.access_locked? }
- condition(:can_create_fork, scope: :user) { @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
+ condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
condition(:required_terms_not_accepted, scope: :user, score: 0) do
@user&.required_terms_not_accepted?
@@ -19,8 +19,6 @@ class GlobalPolicy < BasePolicy
rule { anonymous }.policy do
prevent :log_in
- prevent :access_api
- prevent :access_git
prevent :receive_notifications
prevent :use_quick_actions
prevent :create_group