Authorize access before serving project template

Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.

When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.

We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.

Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.

https://gitlab.com/gitlab-org/gitlab-ce/issues/54943

1 files changed, 4 insertions, 1 deletions

diff --git a/config/routes/project.rb b/config/routes/project.rb
index 93d168fc595..bde482f0b6b 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -41,7 +41,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
       #
       # Templates
       #
-      get '/templates/:template_type/:key' => 'templates#show', as: :template, constraints: { key: %r{[^/]+} }
+      get '/templates/:template_type/:key' => 'templates#show',
+          as: :template,
+          defaults: { format: 'json' },
+          constraints: { key: %r{[^/]+}, template_type: /issue|merge_request/, format: 'json' }
 
       resource  :avatar, only: [:show, :destroy]
       resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do