Commit 56b33c11 authored by Sean McGivern's avatar Sean McGivern Committed by Alejandro Rodríguez

Merge branch 'fix/git-access-wiki-when-repository-feature-disabled' into 'master'

Fixes access to the wiki code with git when repository feature disabled

## What does this MR do?

Allow access to the wiki repository with git when the repository feature is disabled.

## Why was this MR needed?

Without this fix, if you create a wiki only project you are not allowed to download the wiki code from this project.

## Does this MR meet the acceptance criteria?

- [X] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [ ] ~~[Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)~~
- [ ] ~~API support added~~
- Tests
  - [X] Added for this feature/bug
  - [ ] All builds are passing
- [X] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

Fixes #24931

See merge request !7832
parent 93ee6811
...@@ -50,6 +50,7 @@ class ProjectPolicy < BasePolicy ...@@ -50,6 +50,7 @@ class ProjectPolicy < BasePolicy
def reporter_access! def reporter_access!
can! :download_code can! :download_code
can! :download_wiki_code
can! :fork_project can! :fork_project
can! :create_project_snippet can! :create_project_snippet
can! :update_issue can! :update_issue
...@@ -187,6 +188,7 @@ class ProjectPolicy < BasePolicy ...@@ -187,6 +188,7 @@ class ProjectPolicy < BasePolicy
unless project.feature_available?(:wiki, user) || project.has_external_wiki? unless project.feature_available?(:wiki, user) || project.has_external_wiki?
cannot!(*named_abilities(:wiki)) cannot!(*named_abilities(:wiki))
cannot!(:download_wiki_code)
end end
unless project.feature_available?(:builds, user) && repository_enabled unless project.feature_available?(:builds, user) && repository_enabled
...@@ -226,6 +228,7 @@ class ProjectPolicy < BasePolicy ...@@ -226,6 +228,7 @@ class ProjectPolicy < BasePolicy
can! :read_commit_status can! :read_commit_status
can! :read_container_image can! :read_container_image
can! :download_code can! :download_code
can! :download_wiki_code
can! :read_cycle_analytics can! :read_cycle_analytics
# NOTE: may be overridden by IssuePolicy # NOTE: may be overridden by IssuePolicy
......
---
title: Allow access to the wiki with git when repository feature disabled
merge_request:
author:
...@@ -46,7 +46,7 @@ module Gitlab ...@@ -46,7 +46,7 @@ module Gitlab
def download_access_check def download_access_check
if user if user
user_download_access_check user_download_access_check
elsif deploy_key.nil? && !Guest.can?(:download_code, project) elsif deploy_key.nil? && !guest_can_downlod_code?
raise UnauthorizedError, ERROR_MESSAGES[:download] raise UnauthorizedError, ERROR_MESSAGES[:download]
end end
end end
...@@ -59,6 +59,10 @@ module Gitlab ...@@ -59,6 +59,10 @@ module Gitlab
end end
end end
def guest_can_downlod_code?
Guest.can?(:download_code, project)
end
def user_download_access_check def user_download_access_check
unless user_can_download_code? || build_can_download_code? unless user_can_download_code? || build_can_download_code?
raise UnauthorizedError, ERROR_MESSAGES[:download] raise UnauthorizedError, ERROR_MESSAGES[:download]
......
module Gitlab module Gitlab
class GitAccessWiki < GitAccess class GitAccessWiki < GitAccess
def guest_can_downlod_code?
Guest.can?(:download_wiki_code, project)
end
def user_can_download_code?
authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_wiki_code)
end
def change_access_check(change) def change_access_check(change)
if user_access.can_do_action?(:create_wiki) if user_access.can_do_action?(:create_wiki)
build_status_object(true) build_status_object(true)
......
...@@ -26,4 +26,29 @@ describe Gitlab::GitAccessWiki, lib: true do ...@@ -26,4 +26,29 @@ describe Gitlab::GitAccessWiki, lib: true do
def changes def changes
['6f6d7e7ed 570e7b2ab refs/heads/master'] ['6f6d7e7ed 570e7b2ab refs/heads/master']
end end
describe '#download_access_check' do
subject { access.check('git-upload-pack', '_any') }
before do
project.team << [user, :developer]
end
context 'when wiki feature is enabled' do
it 'give access to download wiki code' do
project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::ENABLED)
expect(subject.allowed?).to be_truthy
end
end
context 'when wiki feature is disabled' do
it 'does not give access to download wiki code' do
project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED)
expect(subject.allowed?).to be_falsey
expect(subject.message).to match(/You are not allowed to download code/)
end
end
end
end end
...@@ -23,7 +23,7 @@ describe ProjectPolicy, models: true do ...@@ -23,7 +23,7 @@ describe ProjectPolicy, models: true do
:download_code, :fork_project, :create_project_snippet, :update_issue, :download_code, :fork_project, :create_project_snippet, :update_issue,
:admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build, :admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build,
:read_container_image, :read_pipeline, :read_environment, :read_deployment, :read_container_image, :read_pipeline, :read_environment, :read_deployment,
:read_merge_request :read_merge_request, :download_wiki_code
] ]
end end
...@@ -56,7 +56,8 @@ describe ProjectPolicy, models: true do ...@@ -56,7 +56,8 @@ describe ProjectPolicy, models: true do
let(:public_permissions) do let(:public_permissions) do
[ [
:download_code, :fork_project, :read_commit_status, :read_pipeline, :download_code, :fork_project, :read_commit_status, :read_pipeline,
:read_container_image, :build_download_code, :build_read_container_image :read_container_image, :build_download_code, :build_read_container_image,
:download_wiki_code
] ]
end end
...@@ -87,6 +88,15 @@ describe ProjectPolicy, models: true do ...@@ -87,6 +88,15 @@ describe ProjectPolicy, models: true do
expect(Ability.allowed?(user, :read_issue, project)).to be_falsy expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
end end
it 'does not include the wiki permissions when the feature is disabled' do
project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED)
wiki_permissions = [:read_wiki, :create_wiki, :update_wiki, :admin_wiki, :download_wiki_code]
permissions = described_class.abilities(owner, project).to_set
expect(permissions).not_to include(*wiki_permissions)
end
context 'abilities for non-public projects' do context 'abilities for non-public projects' do
let(:project) { create(:empty_project, namespace: owner.namespace) } let(:project) { create(:empty_project, namespace: owner.namespace) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment