Allow guests users to access project releases

This is step one of resolving https://gitlab.com/gitlab-org/gitlab-ce/issues/56838. Here is what changed: - Revert the security fix from bdee9e8412d. - Do not leak repository information (tag name, commit) to guests in API responses. - Do not include links to source code in API responses for users that do not have download_code access. - Show Releases in sidebar for guests. - Do not display links to source code under Assets for users that do not have download_code access. GET ':id/releases/:tag_name' still do not allow guests to access releases. This is to prevent guessing tag existence.
author: Krasimir Angelov <kangelov@gitlab.com> 2019-05-03 13:29:20 +0000
committer: Lin Jen-Shin <godfat@godfat.org> 2019-05-03 13:29:20 +0000
commit: 241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree: 085737123336ffc4abbf65652a7365c191c8a64c /lib
parent: 9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download: gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz
2 files changed, 25 insertions, 10 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index ee8480122c4..a228614f684 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1156,22 +1156,33 @@ module API
       end
     end
 
-    class Release < TagRelease
+    class Release < Grape::Entity
       expose :name
+      expose :tag, as: :tag_name, if: lambda { |_, _| can_download_code? }
+      expose :description
       expose :description_html do |entity|
         MarkupHelper.markdown_field(entity, :description)
       end
       expose :created_at
       expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
-      expose :commit, using: Entities::Commit
+      expose :commit, using: Entities::Commit, if: lambda { |_, _| can_download_code? }
 
       expose :assets do
-        expose :assets_count, as: :count
-        expose :sources, using: Entities::Releases::Source
+        expose :assets_count, as: :count do |release, _|
+          assets_to_exclude = can_download_code? ? [] : [:sources]
+          release.assets_count(except: assets_to_exclude)
+        end
+        expose :sources, using: Entities::Releases::Source, if: lambda { |_, _| can_download_code? }
         expose :links, using: Entities::Releases::Link do |release, options|
           release.links.sorted
         end
       end
+
+      private
+
+      def can_download_code?
+        Ability.allowed?(options[:current_user], :download_code, object.project)
+      end
     end
 
     class Tag < Grape::Entity
diff --git a/lib/api/releases.rb b/lib/api/releases.rb
index cb85028f22c..6b17f4317db 100644
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -23,7 +23,7 @@ module API
       get ':id/releases' do
         releases = ::ReleasesFinder.new(user_project, current_user).execute
 
-        present paginate(releases), with: Entities::Release
+        present paginate(releases), with: Entities::Release, current_user: current_user
       end
 
       desc 'Get a single project release' do
@@ -34,9 +34,9 @@ module API
         requires :tag_name, type: String, desc: 'The name of the tag', as: :tag
       end
       get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMETS do
-        authorize_read_release!
+        authorize_download_code!
 
-        present release, with: Entities::Release
+        present release, with: Entities::Release, current_user: current_user
       end
 
       desc 'Create a new release' do
@@ -63,7 +63,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -86,7 +86,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -107,7 +107,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -135,6 +135,10 @@ module API
         authorize! :destroy_release, release
       end
 
+      def authorize_download_code!
+        authorize! :download_code, release
+      end
+
       def release
         @release ||= user_project.releases.find_by_tag(params[:tag])
       end
author	Krasimir Angelov <kangelov@gitlab.com>	2019-05-03 13:29:20 +0000
committer	Lin Jen-Shin <godfat@godfat.org>	2019-05-03 13:29:20 +0000
commit	241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree	085737123336ffc4abbf65652a7365c191c8a64c /lib
parent	9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download	gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz