Commit 0e615a48 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fix-labels-permisssion-check' into 'master'

Fix 403 Access Denied error messages when accessing Labels section in a project

This would occur if the project's issues or merge requests features were disabled. The change in 9bcd3639 caused `can?(current_user, :read_merge_request, project)` to be false if the merge request feature were disabled, so `authorize_labels!` needs to be changed accordingly.

Closes #1813

See merge request !836
parents ffe130d8 07efb17e
......@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base
end
def after_sign_out_path_for(resource)
current_application_settings.after_sign_out_path || new_user_session_path
current_application_settings.after_sign_out_path || new_user_session_path
end
def abilities
......@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base
return access_denied! unless can?(current_user, action, project)
end
def authorize_labels!
# Labels should be accessible for issues and/or merge requests
authorize_read_issue! || authorize_read_merge_request!
end
def access_denied!
render "errors/access_denied", layout: "errors", status: 404
end
......
class Projects::LabelsController < Projects::ApplicationController
before_action :module_enabled
before_action :label, only: [:edit, :update, :destroy]
before_action :authorize_labels!
before_action :authorize_read_label!
before_action :authorize_admin_labels!, except: [:index]
respond_to :js, :html
......
......@@ -138,6 +138,7 @@ class Ability
:read_project,
:read_wiki,
:read_issue,
:read_label,
:read_milestone,
:read_project_snippet,
:read_project_member,
......
......@@ -30,4 +30,44 @@ describe ApplicationController do
controller.send(:check_password_expiration)
end
end
describe 'check labels authorization' do
let(:project) { create(:project) }
let(:user) { create(:user) }
let(:controller) { ApplicationController.new }
before do
project.team << [user, :guest]
allow(controller).to receive(:current_user).and_return(user)
allow(controller).to receive(:project).and_return(project)
end
it 'should succeed if issues and MRs are enabled' do
project.issues_enabled = true
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are enabled, MRs are disabled' do
project.issues_enabled = true
project.merge_requests_enabled = false
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should succeed if issues are disabled, MRs are enabled' do
project.issues_enabled = false
project.merge_requests_enabled = true
controller.send(:authorize_read_label!)
expect(response.status).to eq(200)
end
it 'should fail if issues and MRs are disabled' do
project.issues_enabled = false
project.merge_requests_enabled = false
expect(controller).to receive(:access_denied!)
controller.send(:authorize_read_label!)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment