1 files changed, 30 insertions, 1 deletions

diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb
index 4a0324e8b5c..39f2b8fe0de 100644
--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -13,14 +13,16 @@ class ProjectFeature < ActiveRecord::Base
   # Disabled: not enabled for anyone
   # Private:  enabled only for team members
   # Enabled:  enabled for everyone able to access the project
+  # Public:   enabled for everyone (only allowed for pages)
   #
 
   # Permission levels
   DISABLED = 0
   PRIVATE  = 10
   ENABLED  = 20
+  PUBLIC   = 30
 
-  FEATURES = %i(issues merge_requests wiki snippets builds repository).freeze
+  FEATURES = %i(issues merge_requests wiki snippets builds repository pages).freeze
 
   class << self
     def access_level_attribute(feature)
@@ -46,6 +48,7 @@ class ProjectFeature < ActiveRecord::Base
   validates :project, presence: true
 
   validate :repository_children_level
+  validate :allowed_access_levels
 
   default_value_for :builds_access_level,         value: ENABLED, allows_nil: false
   default_value_for :issues_access_level,         value: ENABLED, allows_nil: false
@@ -55,6 +58,9 @@ class ProjectFeature < ActiveRecord::Base
   default_value_for :repository_access_level,     value: ENABLED, allows_nil: false
 
   def feature_available?(feature, user)
+    # This feature might not be behind a feature flag at all, so default to true
+    return false unless ::Feature.enabled?(feature, user, default_enabled: true)
+
     get_permission(user, access_level(feature))
   end
 
@@ -78,6 +84,16 @@ class ProjectFeature < ActiveRecord::Base
     issues_access_level > DISABLED
   end
 
+  def pages_enabled?
+    pages_access_level > DISABLED
+  end
+
+  def public_pages?
+    return true unless Gitlab.config.pages.access_control
+
+    pages_access_level == PUBLIC || pages_access_level == ENABLED && project.public?
+  end
+
   private
 
   # Validates builds and merge requests access level
@@ -92,6 +108,17 @@ class ProjectFeature < ActiveRecord::Base
     %i(merge_requests_access_level builds_access_level).each(&validator)
   end
 
+  # Validates access level for other than pages cannot be PUBLIC
+  def allowed_access_levels
+    validator = lambda do |field|
+      level = public_send(field) || ProjectFeature::ENABLED # rubocop:disable GitlabSecurity/PublicSend
+      not_allowed = level > ProjectFeature::ENABLED
+      self.errors.add(field, "cannot have public visibility level") if not_allowed
+    end
+
+    (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")}
+  end
+
   def get_permission(user, level)
     case level
     when DISABLED
@@ -100,6 +127,8 @@ class ProjectFeature < ActiveRecord::Base
       user && (project.team.member?(user) || user.full_private_access?)
     when ENABLED
       true
+    when PUBLIC
+      true
     else
       true
     end