• Luke Duncalfe's avatar
    Authorize access before serving project template · ba377e91
    Luke Duncalfe authored
    Previously, if a user was a guest member of a private project, they
    could access the merge request template as we were not checking
    permission-levels of the user.
    
    When a issue template is asked for, the user must have :read_issue for
    the project; or :read_merge_request when a merge request template is
    asked for.
    
    We also now rescue_from FileNotFoundError and handle as 404. This is
    because RepoTemplateFinder can raise a FileNotFoundError exception,
    which Rails previously handled as a 500.
    
    Handling these in a way that is consistent with
    ActiveRecord::RecordNotFound exceptions, within controllers that
    inherit from Projects::ApplicationController at least, and returning a
    404.
    
    https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
    ba377e91
templates_controller_spec.rb 3.91 KB