Project guests no longer are able to see refs page

Adds download_code authorization check to ProjectsController#refs action, to prevent a project guest from seeing branch, tags and commits information
2018-12-10 13:58:34 +00:00 · 2018-12-10 13:58:34 +00:00 · 8772bdabb2
parent ffef28ccd6
commit 8772bdabb2
3 changed files with 26 additions and 4 deletions
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@ -19,6 +19,7 @@ class ProjectsController < Projects::ApplicationController
  before_action :lfs_blob_ids, only: [:show], if: [:repo_exists?, :project_view_files?]
  before_action :project_export_enabled, only: [:export, :download_export, :remove_export, :generate_new_export]
  before_action :present_project, only: [:edit]
+  before_action :authorize_download_code!, only: [:refs]

  # Authorize
  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export, :remove_export, :generate_new_export]
--- a/changelogs/unreleased/security-refs-available-to-project-guest.yml
+++ b/changelogs/unreleased/security-refs-available-to-project-guest.yml
@ -0,0 +1,5 @@
+---
+title: Project guests no longer are able to see refs page
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@ -621,10 +621,10 @@ describe ProjectsController do
  end

  describe "GET refs" do
-    let(:public_project) { create(:project, :public, :repository) }
+    let(:project) { create(:project, :public, :repository) }

    it 'gets a list of branches and tags' do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc' }
+      get :refs, params: { namespace_id: project.namespace, id: project, sort: 'updated_desc' }

      parsed_body = JSON.parse(response.body)
      expect(parsed_body['Branches']).to include('master')
@ -634,7 +634,7 @@ describe ProjectsController do
    end

    it "gets a list of branches, tags and commits" do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+      get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }

      parsed_body = JSON.parse(response.body)
      expect(parsed_body["Branches"]).to include("master")
@ -649,7 +649,7 @@ describe ProjectsController do
      end

      it "gets a list of branches, tags and commits" do
-        get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+        get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }

        parsed_body = JSON.parse(response.body)
        expect(parsed_body["Branches"]).to include("master")
@ -657,6 +657,22 @@ describe ProjectsController do
        expect(parsed_body["Commits"]).to include("123456")
      end
    end
+
+    context 'when private project' do
+      let(:project) { create(:project, :repository) }
+
+      context 'as a guest' do
+        it 'renders forbidden' do
+          user = create(:user)
+          project.add_guest(user)
+
+          sign_in(user)
+          get :refs, namespace_id: project.namespace, id: project
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
  end

  describe 'POST #preview_markdown' do