From 3e6cbcdd00017acae132daafa5af35f16bf48e3c Mon Sep 17 00:00:00 2001
From: Kamil Trzcinski <ayufan@ayufan.eu>
Date: Fri, 19 Feb 2016 15:11:26 +0100
Subject: [PATCH] Fix pages abilities

---
 app/controllers/projects/pages_controller.rb   |  3 ++-
 app/policies/project_policy.rb                 |  2 ++
 app/views/projects/pages/_destroy.haml         |  2 ++
 app/views/projects/pages/_list.html.haml       |  2 +-
 app/views/projects/pages/_no_domains.html.haml | 13 +++++++------
 app/views/projects/pages/show.html.haml        |  2 +-
 doc/user/permissions.md                        |  3 +++
 7 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/app/controllers/projects/pages_controller.rb b/app/controllers/projects/pages_controller.rb
index b73f998392d..fbd18b68141 100644
--- a/app/controllers/projects/pages_controller.rb
+++ b/app/controllers/projects/pages_controller.rb
@@ -1,7 +1,8 @@
 class Projects::PagesController < Projects::ApplicationController
   layout 'project_settings'
 
-  before_action :authorize_update_pages!
+  before_action :authorize_read_pages!, only: [:show]
+  before_action :authorize_update_pages!, except: [:show]
 
   def show
     @domains = @project.pages_domains.order(:domain)
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index ca5b39a001f..f5fd50745aa 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -110,6 +110,8 @@ class ProjectPolicy < BasePolicy
     can! :admin_pipeline
     can! :admin_environment
     can! :admin_deployment
+    can! :admin_pages
+    can! :read_pages
     can! :update_pages
   end
 
diff --git a/app/views/projects/pages/_destroy.haml b/app/views/projects/pages/_destroy.haml
index 0cd25f82cd4..896a86712a1 100644
--- a/app/views/projects/pages/_destroy.haml
+++ b/app/views/projects/pages/_destroy.haml
@@ -7,3 +7,5 @@
         Removing the pages will prevent from exposing them to outside world.
       .form-actions
         = link_to 'Remove pages', namespace_project_pages_path(@project.namespace, @project), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-remove"
+- else
+  .nothing-here-block Only the project owner can remove pages
diff --git a/app/views/projects/pages/_list.html.haml b/app/views/projects/pages/_list.html.haml
index c1a6948a574..4f2dd1a1398 100644
--- a/app/views/projects/pages/_list.html.haml
+++ b/app/views/projects/pages/_list.html.haml
@@ -1,4 +1,4 @@
-- if @domains.any?
+- if can?(current_user, :update_pages, @project) && @domains.any?
   .panel.panel-default
     .panel-heading
       Domains (#{@domains.count})
diff --git a/app/views/projects/pages/_no_domains.html.haml b/app/views/projects/pages/_no_domains.html.haml
index 5a18740346a..7cea5f3e70b 100644
--- a/app/views/projects/pages/_no_domains.html.haml
+++ b/app/views/projects/pages/_no_domains.html.haml
@@ -1,6 +1,7 @@
-.panel.panel-default
-  .panel-heading
-    Domains
-  .nothing-here-block
-    Support for domains and certificates is disabled.
-    Ask your system's administrator to enable it.
+- if can?(current_user, :update_pages, @project)
+  .panel.panel-default
+    .panel-heading
+      Domains
+    .nothing-here-block
+      Support for domains and certificates is disabled.
+      Ask your system's administrator to enable it.
diff --git a/app/views/projects/pages/show.html.haml b/app/views/projects/pages/show.html.haml
index f4ca33f418b..b6595269b06 100644
--- a/app/views/projects/pages/show.html.haml
+++ b/app/views/projects/pages/show.html.haml
@@ -2,7 +2,7 @@
 %h3.page_title
   Pages
 
-  - if Gitlab.config.pages.external_http || Gitlab.config.pages.external_https
+  - if can?(current_user, :update_pages, @project) && (Gitlab.config.pages.external_http || Gitlab.config.pages.external_https)
     = link_to new_namespace_project_pages_domain_path(@project.namespace, @project), class: 'btn btn-new pull-right', title: 'New Domain' do
       %i.fa.fa-plus
       New Domain
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 678fc3ffd1f..e87cae092a5 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -62,11 +62,14 @@ The following table depicts the various user permission levels in a project.
 | Manage runners                        |         |            |             | ✓        | ✓      |
 | Manage build triggers                 |         |            |             | ✓        | ✓      |
 | Manage variables                      |         |            |             | ✓        | ✓      |
+| Manage pages                          |         |            |             | ✓        | ✓      |
+| Manage pages domains and certificates |         |            |             | ✓        | ✓      |
 | Switch visibility level               |         |            |             |          | ✓      |
 | Transfer project to another namespace |         |            |             |          | ✓      |
 | Remove project                        |         |            |             |          | ✓      |
 | Force push to protected branches [^3] |         |            |             |          |        |
 | Remove protected branches [^3]        |         |            |             |          |        |
+| Remove pages                          |         |            |             |          | ✓      |
 
 ## Group