Merge branch '18165-add-access-control-for-restricted-public-level' into 'master'

Restrict page access when visibility is restricted to Public See merge request gitlab-org/gitlab!22522

Merge branch '18165-add-access-control-for-restricted-public-level' into 'master'
Restrict page access when visibility is restricted to Public See merge request gitlab-org/gitlab!22522
2dd2a07f · Imre Farkas · 13f7f179 · 33401ff1 · 2dd2a07f · 2dd2a07f
Commit 2dd2a07f authored Apr 15, 2020 by Imre Farkas
17 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -496,6 +496,10 @@ class ApplicationController < ActionController::Base
    html_request? && !devise_controller?
  end

+  def public_visibility_restricted?
+    Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
+  end
+
  def set_usage_stats_consent_flag
    return unless current_user
    return if sessionless_user?

--- a/app/controllers/explore/application_controller.rb
+++ b/app/controllers/explore/application_controller.rb
 # frozen_string_literal: true

 class Explore::ApplicationController < ApplicationController
-  skip_before_action :authenticate_user!
+  skip_before_action :authenticate_user!, unless: :public_visibility_restricted?

  layout 'explore'
 end
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
 # frozen_string_literal: true

 class HelpController < ApplicationController
-  skip_before_action :authenticate_user!
+  skip_before_action :authenticate_user!, unless: :public_visibility_restricted?

  layout 'help'


--- a/app/helpers/explore_helper.rb
+++ b/app/helpers/explore_helper.rb
@@ -51,6 +51,10 @@ module ExploreHelper
    links.any? { |link| explore_nav_link?(link) }
  end

+  def public_visibility_restricted?
+    Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
+  end
+
  private

  def get_explore_nav_links

--- a/app/views/layouts/devise.html.haml
+++ b/app/views/layouts/devise.html.haml
@@ -38,7 +38,9 @@
      %hr.footer-fixed
      .container.footer-container
        .footer-links
-          = link_to _("Explore"), explore_root_path
-          = link_to _("Help"), help_path
+          - if !public_visibility_restricted?
+            = link_to _("Explore"), explore_root_path
+            = link_to _("Help"), help_path
          = link_to _("About GitLab"), "https://about.gitlab.com/"
+
      = footer_message
--- a/app/views/layouts/devise_empty.html.haml
+++ b/app/views/layouts/devise_empty.html.haml
@@ -14,7 +14,8 @@
    %hr
    .container
      .footer-links
-        = link_to _("Explore"), explore_root_path
-        = link_to _("Help"), help_path
+        - if !public_visibility_restricted?
+          = link_to _("Explore"), explore_root_path
+          = link_to _("Help"), help_path
        = link_to _("About GitLab"), "https://about.gitlab.com/"
    = footer_message
--- a/doc/install/aws/index.md
+++ b/doc/install/aws/index.md
@@ -205,7 +205,7 @@ On the EC2 dashboard, look for Load Balancer in the left navigation bar:
 1. Click **Configure Health Check** and set up a health check for your EC2 instances.
   1. For **Ping Protocol**, select HTTP.
   1. For **Ping Port**, enter 80.
-   1. For **Ping Path**, enter `/explore`. (We use `/explore` as it's a public endpoint that does
+   1. For **Ping Path**, enter `/users/sign_in`. (We use `/users/sign_in` as it's a public endpoint that does
   not require authorization.)
   1. Keep the default **Advanced Details** or adjust them according to your needs.
 1. Click **Add EC2 Instances** but, as we don't have any instances to add yet, come back

--- a/doc/public_access/public_access.md
+++ b/doc/public_access/public_access.md
@@ -69,6 +69,16 @@ you are privileged to.

 If the public level is restricted, user profiles are only visible to logged in users.

+## Visibility of pages
+
+By default, the following directories are visible to unauthenticated users:
+
+- Public access (`/public`).
+- Explore (`/explore`).
+- Help (`/help`).
+
+However, if the access level of the `/public` directory is restricted, these directories are visible only to logged in users.
+
 ## Restricting the use of public or internal projects

 You can restrict the use of visibility levels for users when they create a project or a

--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -91,7 +91,7 @@ For more details on group visibility, see [Public access](../../../public_access

 ## Restricted visibility levels

-To set the available visibility levels for new projects and snippets:
+To set the available visibility levels for projects, snippets, and selected pages:

 1. Check the desired visibility levels.
 1. Click **Save changes**.

--- a/ee/changelogs/unreleased/18165-add-access-control-for-restricted-public-level.yml
+++ b/ee/changelogs/unreleased/18165-add-access-control-for-restricted-public-level.yml
+---
+title: Restrict page access when restricted level is public
+merge_request: 22522
+author: briankabiro
+type: added
--- a/ee/spec/features/users/login_spec.rb
+++ b/ee/spec/features/users/login_spec.rb
@@ -186,4 +186,35 @@ describe 'Login' do
      end
    end
  end
+
+  describe 'restricted visibility levels' do
+    context 'contains public level' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'hides Explore link' do
+        visit new_user_session_path
+
+        expect(page).to have_no_link("Explore")
+      end
+
+      it 'hides help link' do
+        visit new_user_session_path
+
+        expect(page).to have_no_link("Help")
+      end
+    end
+
+    context 'does not contain public level' do
+      it 'displays Explore and Help links' do
+        visit new_user_session_path
+
+        href = find_link("Help")[:href]
+
+        expect(href).to eq("/help")
+        expect(page).to have_link("Explore")
+      end
+    end
+  end
 end
--- a/ee/spec/features/users/signup_spec.rb
+++ b/ee/spec/features/users/signup_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Signup' do
+  context 'almost there page' do
+    context 'when public visibility is restricted' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'hides Explore link' do
+        visit users_almost_there_path
+
+        expect(page).to have_no_link("Explore")
+      end
+
+      it 'hides help link' do
+        visit users_almost_there_path
+
+        expect(page).to have_no_link("Help")
+      end
+    end
+  end
+end
--- a/spec/controllers/explore/groups_controller_spec.rb
+++ b/spec/controllers/explore/groups_controller_spec.rb
@@ -22,4 +22,18 @@ describe Explore::GroupsController do

    expect(assigns(:groups)).to contain_exactly(member_of_group, public_group)
  end
+
+  context 'restricted visibility level is public' do
+    before do
+      sign_out(user)
+
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+    end
+
+    it 'redirects to login page' do
+      get :index
+
+      expect(response).to redirect_to new_user_session_path
+    end
+  end
 end
--- a/spec/controllers/explore/projects_controller_spec.rb
+++ b/spec/controllers/explore/projects_controller_spec.rb
@@ -171,5 +171,17 @@ describe Explore::ProjectsController do
        get :index, params: { sort: sorting_param }
      end
    end
+
+    context 'restricted visibility level is public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to login page' do
+        get :index
+
+        expect(response).to redirect_to new_user_session_path
+      end
+    end
  end
 end
--- a/spec/controllers/help_controller_spec.rb
+++ b/spec/controllers/help_controller_spec.rb
@@ -79,6 +79,20 @@ describe HelpController do
        expect(assigns[:help_index]).to eq '[protocol-relative](//example.com)'
      end
    end
+
+    context 'restricted visibility set to public' do
+      before do
+        sign_out(user)
+
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to sign_in path' do
+        get :index
+
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
  end

  describe 'GET #show' do

--- a/spec/features/explore/groups_spec.rb
+++ b/spec/features/explore/groups_spec.rb
@@ -89,5 +89,17 @@ describe 'Explore Groups', :js do
    end

    it_behaves_like 'renders group in public groups area'
+
+    context 'when visibility is restricted to public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      it 'redirects to the sign in page' do
+        visit explore_groups_path
+
+        expect(page).to have_current_path(new_user_session_path)
+      end
+    end
  end
 end
--- a/spec/features/explore/user_explores_projects_spec.rb
+++ b/spec/features/explore/user_explores_projects_spec.rb
@@ -16,6 +16,17 @@ describe 'User explores projects' do

      include_examples 'shows public projects'
    end
+
+    context 'when visibility is restricted to public' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+        visit(explore_projects_path)
+      end
+
+      it 'redirects to login page' do
+        expect(page).to have_current_path(new_user_session_path)
+      end
+    end
  end

  context 'when signed in' do