Merge branch '26781-enforce-auth-checks-on-uploads' into 'master'

Enforce auth checks on uploads See merge request gitlab-org/gitlab!80117

Merge branch '26781-enforce-auth-checks-on-uploads' into 'master'
Enforce auth checks on uploads See merge request gitlab-org/gitlab!80117
3340617d · Heinrich Lee Yu · e0f64d91 · 8999ca18 · 3340617d · 3340617d
Commit 3340617d authored Feb 09, 2022 by Heinrich Lee Yu
5 changed files
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -142,6 +142,14 @@ module UploadsActions
    uploader && uploader.exists? && uploader.embeddable?
  end

+  def bypass_auth_checks_on_uploads?
+    if ::Feature.enabled?(:enforce_auth_checks_on_uploads, default_enabled: :yaml)
+      false
+    else
+      action_name == 'show' && embeddable?
+    end
+  end
+
  def find_model
    nil
  end

--- a/app/controllers/groups/uploads_controller.rb
+++ b/app/controllers/groups/uploads_controller.rb
@@ -4,7 +4,7 @@ class Groups::UploadsController < Groups::ApplicationController
  include UploadsActions
  include WorkhorseRequest

-  skip_before_action :group, if: -> { action_name == 'show' && embeddable? }
+  skip_before_action :group, if: -> { bypass_auth_checks_on_uploads? }

  before_action :authorize_upload_file!, only: [:create, :authorize]
  before_action :verify_workhorse_api!, only: [:authorize]

--- a/app/controllers/projects/uploads_controller.rb
+++ b/app/controllers/projects/uploads_controller.rb
@@ -6,7 +6,7 @@ class Projects::UploadsController < Projects::ApplicationController

  # These will kick you out if you don't have access.
  skip_before_action :project, :repository,
-    if: -> { action_name == 'show' && embeddable? }
+    if: -> { bypass_auth_checks_on_uploads? }

  before_action :authorize_upload_file!, only: [:create, :authorize]
  before_action :verify_workhorse_api!, only: [:authorize]

--- a/config/feature_flags/development/enforce_auth_checks_on_uploads.yml
+++ b/config/feature_flags/development/enforce_auth_checks_on_uploads.yml
+---
+name: enforce_auth_checks_on_uploads
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80117
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352291
+milestone: '14.8'
+type: development
+group: group::code review
+default_enabled: false
--- a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
@@ -205,12 +205,32 @@ RSpec.shared_examples 'handle uploads' do
              allow_any_instance_of(FileUploader).to receive(:image?).and_return(true)
            end

+            context "enforce_auth_checks_on_uploads feature flag" do
+              context "with flag enabled" do
+                before do
+                  stub_feature_flags(enforce_auth_checks_on_uploads: true)
+                end
+
+                it "responds with status 302" do
+                  show_upload
+
+                  expect(response).to have_gitlab_http_status(:redirect)
+                end
+              end
+
+              context "with flag disabled" do
+                before do
+                  stub_feature_flags(enforce_auth_checks_on_uploads: false)
+                end
+
                it "responds with status 200" do
                  show_upload

                  expect(response).to have_gitlab_http_status(:ok)
                end
              end
+            end
+          end

          context "when the file is not an image" do
            before do
@@ -276,12 +296,32 @@ RSpec.shared_examples 'handle uploads' do
                allow_any_instance_of(FileUploader).to receive(:image?).and_return(true)
              end

+              context "enforce_auth_checks_on_uploads feature flag" do
+                context "with flag enabled" do
+                  before do
+                    stub_feature_flags(enforce_auth_checks_on_uploads: true)
+                  end
+
+                  it "responds with status 404" do
+                    show_upload
+
+                    expect(response).to have_gitlab_http_status(:not_found)
+                  end
+                end
+
+                context "with flag disabled" do
+                  before do
+                    stub_feature_flags(enforce_auth_checks_on_uploads: false)
+                  end
+
                  it "responds with status 200" do
                    show_upload

                    expect(response).to have_gitlab_http_status(:ok)
                  end
                end
+              end
+            end

            context "when the file is not an image" do
              before do