diff options
author | Luke Duncalfe <lduncalfe@eml.cc> | 2019-05-23 16:33:11 +1200 |
---|---|---|
committer | Luke Duncalfe <lduncalfe@eml.cc> | 2019-06-11 08:21:04 +1200 |
commit | ba377e91e1179b5b1124df1fcdda22c1b63e82a1 (patch) | |
tree | 3b4d44618b710f02055374154119f4f3123bb2dd /config/routes/project.rb | |
parent | e5dcd1101b027d35ca23123c0712a483629b9bf6 (diff) | |
download | gitlab-ce-ba377e91e1179b5b1124df1fcdda22c1b63e82a1.tar.gz |
Authorize access before serving project template
Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.
When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.
We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.
Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.
https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
Diffstat (limited to 'config/routes/project.rb')
-rw-r--r-- | config/routes/project.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/config/routes/project.rb b/config/routes/project.rb index d44ff62bc2a..e4f6758693c 100644 --- a/config/routes/project.rb +++ b/config/routes/project.rb @@ -168,7 +168,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do # # Templates # - get '/templates/:template_type/:key' => 'templates#show', as: :template, constraints: { key: %r{[^/]+} } + get '/templates/:template_type/:key' => 'templates#show', + as: :template, + defaults: { format: 'json' }, + constraints: { key: %r{[^/]+}, template_type: %r{issue|merge_request}, format: 'json' } resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do member do |