From 13d2d1985c5346beab95e6a77706194f9f007a05 Mon Sep 17 00:00:00 2001
From: Vladimir Shushlin <vshushlin@gitlab.com>
Date: Tue, 12 Feb 2019 12:18:17 +0000
Subject: [PATCH] Fix access to pages domain settings

---
 .../projects/pages_domains_controller.rb        |  2 +-
 ...-view-is-not-protected-by-access-control.yml |  5 +++++
 .../projects/pages_domains_controller_spec.rb   | 17 ++++++++++++++++-
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml

diff --git a/app/controllers/projects/pages_domains_controller.rb b/app/controllers/projects/pages_domains_controller.rb
index 439ec9b1731..58b1bc54181 100644
--- a/app/controllers/projects/pages_domains_controller.rb
+++ b/app/controllers/projects/pages_domains_controller.rb
@@ -4,7 +4,7 @@ class Projects::PagesDomainsController < Projects::ApplicationController
   layout 'project_settings'
 
   before_action :require_pages_enabled!
-  before_action :authorize_update_pages!, except: [:show]
+  before_action :authorize_update_pages!
   before_action :domain, except: [:new, :create]
 
   def show
diff --git a/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml b/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml
new file mode 100644
index 00000000000..41761213d7b
--- /dev/null
+++ b/changelogs/unreleased/54850-pages-domain-show-view-is-not-protected-by-access-control.yml
@@ -0,0 +1,5 @@
+---
+title: Require maintainer access to show pages domain settings
+merge_request: 24926
+author:
+type: fixed
diff --git a/spec/controllers/projects/pages_domains_controller_spec.rb b/spec/controllers/projects/pages_domains_controller_spec.rb
index 8b7f7587701..ffb9867a203 100644
--- a/spec/controllers/projects/pages_domains_controller_spec.rb
+++ b/spec/controllers/projects/pages_domains_controller_spec.rb
@@ -23,12 +23,27 @@ describe Projects::PagesDomainsController do
   end
 
   describe 'GET show' do
-    it "displays the 'show' page" do
+    def make_request
       get(:show, params: request_params.merge(id: pages_domain.domain))
+    end
 
+    it "displays the 'show' page" do
+      make_request
       expect(response).to have_gitlab_http_status(200)
       expect(response).to render_template('show')
     end
+
+    context 'when user is developer' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'renders 404 page' do
+        make_request
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
   end
 
   describe 'GET new' do