diff options
| -rw-r--r-- | app/policies/project_policy.rb | 3 | ||||
| -rw-r--r-- | changelogs/unreleased/fix-git-access-wiki-when-repository-feature-disabled.yml | 4 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 6 | ||||
| -rw-r--r-- | lib/gitlab/git_access_wiki.rb | 8 | ||||
| -rw-r--r-- | spec/lib/gitlab/git_access_wiki_spec.rb | 25 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 14 |
6 files changed, 57 insertions, 3 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 1ee31023e26..8ac4bd9df6d 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -50,6 +50,7 @@ class ProjectPolicy < BasePolicy def reporter_access! can! :download_code + can! :download_wiki_code can! :fork_project can! :create_project_snippet can! :update_issue @@ -187,6 +188,7 @@ class ProjectPolicy < BasePolicy unless project.feature_available?(:wiki, user) || project.has_external_wiki? cannot!(*named_abilities(:wiki)) + cannot!(:download_wiki_code) end unless project.feature_available?(:builds, user) && repository_enabled @@ -226,6 +228,7 @@ class ProjectPolicy < BasePolicy can! :read_commit_status can! :read_container_image can! :download_code + can! :download_wiki_code can! :read_cycle_analytics # NOTE: may be overridden by IssuePolicy diff --git a/changelogs/unreleased/fix-git-access-wiki-when-repository-feature-disabled.yml b/changelogs/unreleased/fix-git-access-wiki-when-repository-feature-disabled.yml new file mode 100644 index 00000000000..82ca6316876 --- /dev/null +++ b/changelogs/unreleased/fix-git-access-wiki-when-repository-feature-disabled.yml @@ -0,0 +1,4 @@ +--- +title: Allow access to the wiki with git when repository feature disabled +merge_request: +author: diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index bcbf6455998..db07b7c5fcc 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -46,7 +46,7 @@ module Gitlab def download_access_check if user user_download_access_check - elsif deploy_key.nil? && !Guest.can?(:download_code, project) + elsif deploy_key.nil? && !guest_can_downlod_code? raise UnauthorizedError, ERROR_MESSAGES[:download] end end @@ -59,6 +59,10 @@ module Gitlab end end + def guest_can_downlod_code? + Guest.can?(:download_code, project) + end + def user_download_access_check unless user_can_download_code? || build_can_download_code? raise UnauthorizedError, ERROR_MESSAGES[:download] diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb index f71d3575909..2c06c4ff1ef 100644 --- a/lib/gitlab/git_access_wiki.rb +++ b/lib/gitlab/git_access_wiki.rb @@ -1,5 +1,13 @@ module Gitlab class GitAccessWiki < GitAccess + def guest_can_downlod_code? + Guest.can?(:download_wiki_code, project) + end + + def user_can_download_code? + authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_wiki_code) + end + def change_access_check(change) if user_access.can_do_action?(:create_wiki) build_status_object(true) diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb index 576aa5c366f..578db51631e 100644 --- a/spec/lib/gitlab/git_access_wiki_spec.rb +++ b/spec/lib/gitlab/git_access_wiki_spec.rb @@ -26,4 +26,29 @@ describe Gitlab::GitAccessWiki, lib: true do def changes ['6f6d7e7ed 570e7b2ab refs/heads/master'] end + + describe '#download_access_check' do + subject { access.check('git-upload-pack', '_any') } + + before do + project.team << [user, :developer] + end + + context 'when wiki feature is enabled' do + it 'give access to download wiki code' do + project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::ENABLED) + + expect(subject.allowed?).to be_truthy + end + end + + context 'when wiki feature is disabled' do + it 'does not give access to download wiki code' do + project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED) + + expect(subject.allowed?).to be_falsey + expect(subject.message).to match(/You are not allowed to download code/) + end + end + end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 96249a7d8c3..b49e4f3a8bc 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -23,7 +23,7 @@ describe ProjectPolicy, models: true do :download_code, :fork_project, :create_project_snippet, :update_issue, :admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build, :read_container_image, :read_pipeline, :read_environment, :read_deployment, - :read_merge_request + :read_merge_request, :download_wiki_code ] end @@ -56,7 +56,8 @@ describe ProjectPolicy, models: true do let(:public_permissions) do [ :download_code, :fork_project, :read_commit_status, :read_pipeline, - :read_container_image, :build_download_code, :build_read_container_image + :read_container_image, :build_download_code, :build_read_container_image, + :download_wiki_code ] end @@ -87,6 +88,15 @@ describe ProjectPolicy, models: true do expect(Ability.allowed?(user, :read_issue, project)).to be_falsy end + it 'does not include the wiki permissions when the feature is disabled' do + project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED) + wiki_permissions = [:read_wiki, :create_wiki, :update_wiki, :admin_wiki, :download_wiki_code] + + permissions = described_class.abilities(owner, project).to_set + + expect(permissions).not_to include(*wiki_permissions) + end + context 'abilities for non-public projects' do let(:project) { create(:empty_project, namespace: owner.namespace) } |