Commit graph

9 commits

Author SHA1 Message Date
Bob Van Landuyt
d801dd1774 Allows access_(git|api) to anonymous users
The `access_git` and `access_api` were currently never checked for
anonymous users. And they would also be allowed access:

  An anonymous user can clone and pull from a public repo

  An anonymous user can request public information from the API

So the policy didn't actually reflect what we were enforcing.
2018-05-10 17:02:27 +02:00
Bob Van Landuyt
f7f13f9db0 Block access to API & git when terms are enforced
When terms are enforced, but the user has not accepted the terms
access to the API & git is rejected with a message directing the user
to the web app to accept the terms.
2018-05-10 17:02:27 +02:00
Bob Van Landuyt
7684217d68 Enforces terms in the web application
This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.
2018-05-04 13:54:43 +02:00
Phil Hughes
93aa6d04c2
moved fork checks into policies 2017-09-29 12:14:39 +01:00
Markus Koller
e9eae3eb0d Support custom attributes on users 2017-09-28 16:49:42 +00:00
Rémy Coutable
cddc5cacfb Use described_class when possible
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
Rémy Coutable
ddccd24c13 Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
Lin Jen-Shin
25e44edc30 Allow admin to read_users_list even if it's restricted 2017-07-25 16:49:26 +08:00
Timothy Andrew
96e986327c Implement review comments for !12445 from @jneen.
- Fix duplicate `prevent` declaration
- Add spec for `GlobalPolicy`
2017-07-03 05:14:00 +00:00