Commit d8d8fe76 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Merge branch 'labels-permission-fix-7-12' into '7-12-stable'

Fix 403 Access Denied error messages when accessing Labels section in a project

This occurs when MRs are enabled but issues are enabled

Closes #1813

See merge request !842
parents 71559a5f b8fd21f9
...@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base ...@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base
end end
def after_sign_out_path_for(resource) def after_sign_out_path_for(resource)
current_application_settings.after_sign_out_path || new_user_session_path current_application_settings.after_sign_out_path || new_user_session_path
end end
def abilities def abilities
...@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base ...@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base
return access_denied! unless can?(current_user, action, project) return access_denied! unless can?(current_user, action, project)
end end
def authorize_labels!
# Labels should be accessible for issues and/or merge requests
authorize_read_issue! || authorize_read_merge_request!
end
def access_denied! def access_denied!
render "errors/access_denied", layout: "errors", status: 404 render "errors/access_denied", layout: "errors", status: 404
end end
......
class Projects::LabelsController < Projects::ApplicationController class Projects::LabelsController < Projects::ApplicationController
before_action :module_enabled before_action :module_enabled
before_action :label, only: [:edit, :update, :destroy] before_action :label, only: [:edit, :update, :destroy]
before_action :authorize_labels! before_action :authorize_read_label!
before_action :authorize_admin_labels!, except: [:index] before_action :authorize_admin_labels!, except: [:index]
respond_to :js, :html respond_to :js, :html
......
...@@ -138,6 +138,7 @@ class Ability ...@@ -138,6 +138,7 @@ class Ability
:read_project, :read_project,
:read_wiki, :read_wiki,
:read_issue, :read_issue,
:read_label,
:read_milestone, :read_milestone,
:read_project_snippet, :read_project_snippet,
:read_project_member, :read_project_member,
......
...@@ -30,4 +30,44 @@ describe ApplicationController do ...@@ -30,4 +30,44 @@ describe ApplicationController do
controller.send(:check_password_expiration) controller.send(:check_password_expiration)
end end
end end
describe 'check labels authorization' do
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:controller) { ApplicationController.new }
before do
project.team << [user, :guest]
allow(controller).to receive(:current_user).and_return(user)
allow(controller).to receive(:project).and_return(project)
end
it 'should succeed if issues and MRs are enabled' do
project.issues_enabled = true
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are enabled, MRs are disabled' do
project.issues_enabled = true
project.merge_requests_enabled = false
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are disabled, MRs are enabled' do
project.issues_enabled = false
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should fail if issues and MRs are disabled' do
project.issues_enabled = false
project.merge_requests_enabled = false
expect(controller).to receive(:access_denied!)
controller.send(:authorize_read_label!)
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment