diff options
Diffstat (limited to 'app/controllers/groups')
7 files changed, 61 insertions, 28 deletions
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb index f8cfa996447..5440908aee7 100644 --- a/app/controllers/groups/application_controller.rb +++ b/app/controllers/groups/application_controller.rb @@ -96,6 +96,28 @@ class Groups::ApplicationController < ApplicationController def validate_root_group! render_404 unless group.root? end + + def authorize_action!(action) + access_denied! unless can?(current_user, action, group) + end + + def respond_to_missing?(method, *args) + case method.to_s + when /\Aauthorize_(.*)!\z/ + true + else + super + end + end + + def method_missing(method_sym, *arguments, &block) + case method_sym.to_s + when /\Aauthorize_(.*)!\z/ + authorize_action!(Regexp.last_match(1).to_sym) + else + super + end + end end Groups::ApplicationController.prepend_mod_with('Groups::ApplicationController') diff --git a/app/controllers/groups/boards_controller.rb b/app/controllers/groups/boards_controller.rb index e1ba86220c7..6bb807be1c4 100644 --- a/app/controllers/groups/boards_controller.rb +++ b/app/controllers/groups/boards_controller.rb @@ -20,16 +20,14 @@ class Groups::BoardsController < Groups::ApplicationController private def board_finder - strong_memoize :board_finder do - Boards::BoardsFinder.new(parent, current_user, board_id: params[:id]) - end + Boards::BoardsFinder.new(parent, current_user, board_id: params[:id]) end + strong_memoize_attr :board_finder def board_create_service - strong_memoize :board_create_service do - Boards::CreateService.new(parent, current_user) - end + Boards::CreateService.new(parent, current_user) end + strong_memoize_attr :board_create_service def authorize_read_board! access_denied! unless can?(current_user, :read_issue_board, group) diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb index 2e9e0b12d2f..427df9a7129 100644 --- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb +++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb @@ -117,7 +117,7 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy end def blob_file_name - @blob_file_name ||= params[:sha].sub('sha256:', '') + '.gz' + @blob_file_name ||= "#{params[:sha].sub('sha256:', '')}.gz" end def manifest_file_name diff --git a/app/controllers/groups/observability_controller.rb b/app/controllers/groups/observability_controller.rb index 4b1f2b582ce..3baa5e830ff 100644 --- a/app/controllers/groups/observability_controller.rb +++ b/app/controllers/groups/observability_controller.rb @@ -1,18 +1,9 @@ # frozen_string_literal: true module Groups class ObservabilityController < Groups::ApplicationController - feature_category :tracing - - content_security_policy do |p| - next if p.directives.blank? - - default_frame_src = p.directives['frame-src'] || p.directives['default-src'] + include ::Observability::ContentSecurityPolicy - # When ObservabilityUI is not authenticated, it needs to be able to redirect to the GL sign-in page, hence 'self' - frame_src_values = Array.wrap(default_frame_src) | [observability_url, "'self'"] - - p.frame_src(*frame_src_values) - end + feature_category :tracing before_action :check_observability_allowed @@ -34,16 +25,8 @@ module Groups render 'observability', layout: 'group', locals: { base_layout: 'layouts/fullscreen' } end - def self.observability_url - Gitlab::Observability.observability_url - end - - def observability_url - self.class.observability_url - end - def check_observability_allowed - return render_404 unless observability_url.present? + return render_404 unless Gitlab::Observability.observability_url.present? render_404 unless can?(current_user, :read_observability, @group) end diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb index b1afac1f1c7..1dfa8cdf133 100644 --- a/app/controllers/groups/settings/ci_cd_controller.rb +++ b/app/controllers/groups/settings/ci_cd_controller.rb @@ -15,6 +15,8 @@ module Groups urgency :low def show + @entity = :group + @variable_limit = ::Plan.default.actual_limits.group_ci_variables end def update diff --git a/app/controllers/groups/usage_quotas_controller.rb b/app/controllers/groups/usage_quotas_controller.rb new file mode 100644 index 00000000000..29878f0001d --- /dev/null +++ b/app/controllers/groups/usage_quotas_controller.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +module Groups + class UsageQuotasController < Groups::ApplicationController + before_action :authorize_read_usage_quotas! + before_action :verify_usage_quotas_enabled! + + feature_category :subscription_cost_management + urgency :low + + def index + # To be used in ee/app/controllers/ee/groups/usage_quotas_controller.rb + @seat_count_data = seat_count_data + end + + private + + def verify_usage_quotas_enabled! + render_404 unless Feature.enabled?(:usage_quotas_for_all_editions, group) + render_404 if group.has_parent? + end + + # To be overriden in ee/app/controllers/ee/groups/usage_quotas_controller.rb + def seat_count_data; end + end +end + +Groups::UsageQuotasController.prepend_mod diff --git a/app/controllers/groups/variables_controller.rb b/app/controllers/groups/variables_controller.rb index 220b0b4509c..9ddf6c80c70 100644 --- a/app/controllers/groups/variables_controller.rb +++ b/app/controllers/groups/variables_controller.rb @@ -50,7 +50,7 @@ module Groups end def variable_params_attributes - %i[id variable_type key secret_value protected masked _destroy] + %i[id variable_type key secret_value protected masked raw _destroy] end def authorize_admin_build! |