Merge branch 'fix-unauthenticated-label-access' into 'master'

Fix label read access for unauthenticated users The label page was added to navigation for unauthorized users because the previously used milestone read permission was still checked. This has been fixed and read access to labels is now granted (again) for public projects. This regression has been introduced in 07efb17e10 (7.12). See also 9bcd36396b. Refs !836, !842. See merge request !1000
2015-07-20 03:29:13 +00:00 · 2015-07-20 03:29:13 +00:00 · e5a12596ab
commit e5a12596ab
parent d0ef64ac8e 69417d36b2
3 changed files with 7 additions and 1 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.

 v 7.14.0 (unreleased)
+  - Fix label read access for unauthenticated users (Daniel Gerhardt)
  - Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
  - Fix file upload dialog for comment editing (Daniel Gerhardt)
  - Expire Rails cache entries after two weeks to prevent endless Redis growth
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@ -131,8 +131,12 @@ module ProjectsHelper
      nav_tabs << :snippets
    end

+    if can?(current_user, :read_label, project)
+      nav_tabs << :labels
+    end
+
    if can?(current_user, :read_milestone, project)
-      nav_tabs << [:milestones, :labels]
+      nav_tabs << :milestones
    end

    nav_tabs.flatten
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -35,6 +35,7 @@ class Ability
          :read_project,
          :read_wiki,
          :read_issue,
+          :read_label,
          :read_milestone,
          :read_project_snippet,
          :read_project_member,