diff options
Diffstat (limited to 'app/controllers/concerns/lfs_request.rb')
-rw-r--r-- | app/controllers/concerns/lfs_request.rb | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/app/controllers/concerns/lfs_request.rb b/app/controllers/concerns/lfs_request.rb index 2844acea271..bc3fd32759f 100644 --- a/app/controllers/concerns/lfs_request.rb +++ b/app/controllers/concerns/lfs_request.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true # This concern assumes: +# - a `#container` accessor # - a `#project` accessor # - a `#user` accessor # - a `#authentication_result` accessor @@ -11,6 +12,7 @@ # - a `#has_authentication_ability?(ability)` method module LfsRequest extend ActiveSupport::Concern + include Gitlab::Utils::StrongMemoize CONTENT_TYPE = 'application/vnd.git-lfs+json' @@ -29,16 +31,19 @@ module LfsRequest message: _('Git LFS is not enabled on this GitLab server, contact your admin.'), documentation_url: help_url }, + content_type: CONTENT_TYPE, status: :not_implemented ) end def lfs_check_access! - return render_lfs_not_found unless project + return render_lfs_not_found unless container&.lfs_enabled? return if download_request? && lfs_download_access? return if upload_request? && lfs_upload_access? - if project.public? || can?(user, :read_project, project) + # Only return a 403 response if the user has download access permission, + # otherwise return a 404 to avoid exposing the existence of the container. + if lfs_download_access? lfs_forbidden! else render_lfs_not_found @@ -72,9 +77,9 @@ module LfsRequest end def lfs_download_access? - return false unless project.lfs_enabled? - - ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code? || deploy_token_can_download_code? + strong_memoize(:lfs_download_access) do + ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code? || deploy_token_can_download_code? + end end def deploy_token_can_download_code? @@ -93,11 +98,12 @@ module LfsRequest end def lfs_upload_access? - return false unless project.lfs_enabled? - return false unless has_authentication_ability?(:push_code) - return false if limit_exceeded? + strong_memoize(:lfs_upload_access) do + next false unless has_authentication_ability?(:push_code) + next false if limit_exceeded? - lfs_deploy_token? || can?(user, :push_code, project) + lfs_deploy_token? || can?(user, :push_code, project) + end end def lfs_deploy_token? |