Commit b8fd21f9 authored by Stan Hu's avatar Stan Hu

Fix 403 Access Denied error messages when accessing Labels section in a...

Fix 403 Access Denied error messages when accessing Labels section in a project that has MRs disabled but issues enabled

Closes #1813
parent 71559a5f
...@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base ...@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base
end end
def after_sign_out_path_for(resource) def after_sign_out_path_for(resource)
current_application_settings.after_sign_out_path || new_user_session_path current_application_settings.after_sign_out_path || new_user_session_path
end end
def abilities def abilities
...@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base ...@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base
return access_denied! unless can?(current_user, action, project) return access_denied! unless can?(current_user, action, project)
end end
def authorize_labels!
# Labels should be accessible for issues and/or merge requests
authorize_read_issue! || authorize_read_merge_request!
end
def access_denied! def access_denied!
render "errors/access_denied", layout: "errors", status: 404 render "errors/access_denied", layout: "errors", status: 404
end end
......
class Projects::LabelsController < Projects::ApplicationController class Projects::LabelsController < Projects::ApplicationController
before_action :module_enabled before_action :module_enabled
before_action :label, only: [:edit, :update, :destroy] before_action :label, only: [:edit, :update, :destroy]
before_action :authorize_labels! before_action :authorize_read_label!
before_action :authorize_admin_labels!, except: [:index] before_action :authorize_admin_labels!, except: [:index]
respond_to :js, :html respond_to :js, :html
......
...@@ -138,6 +138,7 @@ class Ability ...@@ -138,6 +138,7 @@ class Ability
:read_project, :read_project,
:read_wiki, :read_wiki,
:read_issue, :read_issue,
:read_label,
:read_milestone, :read_milestone,
:read_project_snippet, :read_project_snippet,
:read_project_member, :read_project_member,
......
...@@ -30,4 +30,44 @@ describe ApplicationController do ...@@ -30,4 +30,44 @@ describe ApplicationController do
controller.send(:check_password_expiration) controller.send(:check_password_expiration)
end end
end end
describe 'check labels authorization' do
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:controller) { ApplicationController.new }
before do
project.team << [user, :guest]
allow(controller).to receive(:current_user).and_return(user)
allow(controller).to receive(:project).and_return(project)
end
it 'should succeed if issues and MRs are enabled' do
project.issues_enabled = true
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are enabled, MRs are disabled' do
project.issues_enabled = true
project.merge_requests_enabled = false
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are disabled, MRs are enabled' do
project.issues_enabled = false
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should fail if issues and MRs are disabled' do
project.issues_enabled = false
project.merge_requests_enabled = false
expect(controller).to receive(:access_denied!)
controller.send(:authorize_read_label!)
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment