Project guests no longer are able to see refs page
Adds download_code authorization check to ProjectsController#refs action, to prevent a project guest from seeing branch, tags and commits information
This commit is contained in:
parent
ffef28ccd6
commit
8772bdabb2
|
@ -19,6 +19,7 @@ class ProjectsController < Projects::ApplicationController
|
|||
before_action :lfs_blob_ids, only: [:show], if: [:repo_exists?, :project_view_files?]
|
||||
before_action :project_export_enabled, only: [:export, :download_export, :remove_export, :generate_new_export]
|
||||
before_action :present_project, only: [:edit]
|
||||
before_action :authorize_download_code!, only: [:refs]
|
||||
|
||||
# Authorize
|
||||
before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export, :remove_export, :generate_new_export]
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Project guests no longer are able to see refs page
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -621,10 +621,10 @@ describe ProjectsController do
|
|||
end
|
||||
|
||||
describe "GET refs" do
|
||||
let(:public_project) { create(:project, :public, :repository) }
|
||||
let(:project) { create(:project, :public, :repository) }
|
||||
|
||||
it 'gets a list of branches and tags' do
|
||||
get :refs, params: { namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc' }
|
||||
get :refs, params: { namespace_id: project.namespace, id: project, sort: 'updated_desc' }
|
||||
|
||||
parsed_body = JSON.parse(response.body)
|
||||
expect(parsed_body['Branches']).to include('master')
|
||||
|
@ -634,7 +634,7 @@ describe ProjectsController do
|
|||
end
|
||||
|
||||
it "gets a list of branches, tags and commits" do
|
||||
get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
|
||||
get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
|
||||
|
||||
parsed_body = JSON.parse(response.body)
|
||||
expect(parsed_body["Branches"]).to include("master")
|
||||
|
@ -649,7 +649,7 @@ describe ProjectsController do
|
|||
end
|
||||
|
||||
it "gets a list of branches, tags and commits" do
|
||||
get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
|
||||
get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
|
||||
|
||||
parsed_body = JSON.parse(response.body)
|
||||
expect(parsed_body["Branches"]).to include("master")
|
||||
|
@ -657,6 +657,22 @@ describe ProjectsController do
|
|||
expect(parsed_body["Commits"]).to include("123456")
|
||||
end
|
||||
end
|
||||
|
||||
context 'when private project' do
|
||||
let(:project) { create(:project, :repository) }
|
||||
|
||||
context 'as a guest' do
|
||||
it 'renders forbidden' do
|
||||
user = create(:user)
|
||||
project.add_guest(user)
|
||||
|
||||
sign_in(user)
|
||||
get :refs, namespace_id: project.namespace, id: project
|
||||
|
||||
expect(response).to have_gitlab_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #preview_markdown' do
|
||||
|
|
Loading…
Reference in New Issue