Restore 403 functionality for external auth (EE)

When we unhooked ClustersController from Project::ApplicationsController, we missed an EE override to handle_not_found_or_authorized. Rather than carry on with override RoutingActions, make a specific proc for Project that we override in EE instead. Use that proc in both Clusters::BaseController and Project::ApplicationsController.

Restore 403 functionality for external auth (EE)
When we unhooked ClustersController from Project::ApplicationsController, we missed an EE override to handle_not_found_or_authorized. Rather than carry on with override RoutingActions, make a specific proc for Project that we override in EE instead. Use that proc in both Clusters::BaseController and Project::ApplicationsController.
28dabc67 · Thong Kuah · 1163b235 · 28dabc67 · 28dabc67 · 28dabc67
Commit 28dabc67 authored Oct 31, 2018 by Thong Kuah
4 changed files
--- a/app/controllers/clusters/base_controller.rb
+++ b/app/controllers/clusters/base_controller.rb
@@ -2,6 +2,7 @@
 class Clusters::BaseController < ApplicationController
  include RoutableActions
+  include ProjectUnauthorized
  skip_before_action :authenticate_user!
  before_action :require_project_id
@@ -21,7 +22,7 @@ class Clusters::BaseController < ApplicationController
  end
  def project
-    @project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id]))
+    @project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id]), not_found_or_authorized_proc: project_unauthorized_proc)
  end
  def repository

--- a/app/controllers/concerns/project_unauthorized.rb
+++ b/app/controllers/concerns/project_unauthorized.rb
+# frozen_string_literal: true
+module ProjectUnauthorized
+  extend ActiveSupport::Concern
+  # EE would override this
+  def project_unauthorized_proc
+    # no-op
+  end
+end
--- a/app/controllers/concerns/routable_actions.rb
+++ b/app/controllers/concerns/routable_actions.rb
@@ -3,23 +3,25 @@
 module RoutableActions
  extend ActiveSupport::Concern
-  def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil)
+  def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil, not_found_or_authorized_proc: nil)
    routable = routable_klass.find_by_full_path(requested_full_path, follow_redirects: request.get?)
    if routable_authorized?(routable, extra_authorization_proc)
      ensure_canonical_path(routable, requested_full_path)
      routable
    else
-      handle_not_found_or_authorized(routable)
+      if not_found_or_authorized_proc
-      nil
+        not_found_or_authorized_proc.call(routable)
-    end
      end
-  # This is overridden in gitlab-ee.
+      route_not_found unless performed?
-  def handle_not_found_or_authorized(_routable)
-    route_not_found
+      nil
+    end
  end
  def routable_authorized?(routable, extra_authorization_proc)
+    return false unless routable
    action = :"read_#{routable.class.to_s.underscore}"
    return false unless can?(current_user, action, routable)

--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -3,6 +3,7 @@
 class Projects::ApplicationController < ApplicationController
  include CookiesHelper
  include RoutableActions
+  include ProjectUnauthorized
  include ChecksCollaboration
  skip_before_action :authenticate_user!
@@ -21,7 +22,7 @@ class Projects::ApplicationController < ApplicationController
    path = File.join(params[:namespace_id], params[:project_id] || params[:id])
    auth_proc = ->(project) { !project.pending_delete? }
-    @project = find_routable!(Project, path, extra_authorization_proc: auth_proc)
+    @project = find_routable!(Project, path, extra_authorization_proc: auth_proc, not_found_or_authorized_proc: project_unauthorized_proc)
  end
  def build_canonical_path(project)