Commit 33401ff1 authored by Brian Kabiro's avatar Brian Kabiro Committed by Imre Farkas

Restrict access when restricted visibility level is public

Some organizations prefer to have all Gitlab related data private
but it is currently possible for non-authenticated users to access
certain pages e.g /public and /explore

This change makes it possible to restrict access by
checking if `public` is included in the restricted visibility
level setting.

* require authentication for /explore, /help, and /public for non-authenticated users.
* remove the Explore link from the sign in page.
* redirect an unauthenticated user attempting to access /help to https://docs.gitlab.com/.
parent aa3b1bcf
...@@ -496,6 +496,10 @@ class ApplicationController < ActionController::Base ...@@ -496,6 +496,10 @@ class ApplicationController < ActionController::Base
html_request? && !devise_controller? html_request? && !devise_controller?
end end
def public_visibility_restricted?
Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
end
def set_usage_stats_consent_flag def set_usage_stats_consent_flag
return unless current_user return unless current_user
return if sessionless_user? return if sessionless_user?
......
# frozen_string_literal: true # frozen_string_literal: true
class Explore::ApplicationController < ApplicationController class Explore::ApplicationController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!, unless: :public_visibility_restricted?
layout 'explore' layout 'explore'
end end
# frozen_string_literal: true # frozen_string_literal: true
class HelpController < ApplicationController class HelpController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!, unless: :public_visibility_restricted?
layout 'help' layout 'help'
......
...@@ -51,6 +51,10 @@ module ExploreHelper ...@@ -51,6 +51,10 @@ module ExploreHelper
links.any? { |link| explore_nav_link?(link) } links.any? { |link| explore_nav_link?(link) }
end end
def public_visibility_restricted?
Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
end
private private
def get_explore_nav_links def get_explore_nav_links
......
...@@ -38,7 +38,9 @@ ...@@ -38,7 +38,9 @@
%hr.footer-fixed %hr.footer-fixed
.container.footer-container .container.footer-container
.footer-links .footer-links
= link_to _("Explore"), explore_root_path - if !public_visibility_restricted?
= link_to _("Help"), help_path = link_to _("Explore"), explore_root_path
= link_to _("Help"), help_path
= link_to _("About GitLab"), "https://about.gitlab.com/" = link_to _("About GitLab"), "https://about.gitlab.com/"
= footer_message = footer_message
...@@ -14,7 +14,8 @@ ...@@ -14,7 +14,8 @@
%hr %hr
.container .container
.footer-links .footer-links
= link_to _("Explore"), explore_root_path - if !public_visibility_restricted?
= link_to _("Help"), help_path = link_to _("Explore"), explore_root_path
= link_to _("Help"), help_path
= link_to _("About GitLab"), "https://about.gitlab.com/" = link_to _("About GitLab"), "https://about.gitlab.com/"
= footer_message = footer_message
...@@ -205,7 +205,7 @@ On the EC2 dashboard, look for Load Balancer in the left navigation bar: ...@@ -205,7 +205,7 @@ On the EC2 dashboard, look for Load Balancer in the left navigation bar:
1. Click **Configure Health Check** and set up a health check for your EC2 instances. 1. Click **Configure Health Check** and set up a health check for your EC2 instances.
1. For **Ping Protocol**, select HTTP. 1. For **Ping Protocol**, select HTTP.
1. For **Ping Port**, enter 80. 1. For **Ping Port**, enter 80.
1. For **Ping Path**, enter `/explore`. (We use `/explore` as it's a public endpoint that does 1. For **Ping Path**, enter `/users/sign_in`. (We use `/users/sign_in` as it's a public endpoint that does
not require authorization.) not require authorization.)
1. Keep the default **Advanced Details** or adjust them according to your needs. 1. Keep the default **Advanced Details** or adjust them according to your needs.
1. Click **Add EC2 Instances** but, as we don't have any instances to add yet, come back 1. Click **Add EC2 Instances** but, as we don't have any instances to add yet, come back
......
...@@ -69,6 +69,16 @@ you are privileged to. ...@@ -69,6 +69,16 @@ you are privileged to.
If the public level is restricted, user profiles are only visible to logged in users. If the public level is restricted, user profiles are only visible to logged in users.
## Visibility of pages
By default, the following directories are visible to unauthenticated users:
- Public access (`/public`).
- Explore (`/explore`).
- Help (`/help`).
However, if the access level of the `/public` directory is restricted, these directories are visible only to logged in users.
## Restricting the use of public or internal projects ## Restricting the use of public or internal projects
You can restrict the use of visibility levels for users when they create a project or a You can restrict the use of visibility levels for users when they create a project or a
......
...@@ -91,7 +91,7 @@ For more details on group visibility, see [Public access](../../../public_access ...@@ -91,7 +91,7 @@ For more details on group visibility, see [Public access](../../../public_access
## Restricted visibility levels ## Restricted visibility levels
To set the available visibility levels for new projects and snippets: To set the available visibility levels for projects, snippets, and selected pages:
1. Check the desired visibility levels. 1. Check the desired visibility levels.
1. Click **Save changes**. 1. Click **Save changes**.
......
---
title: Restrict page access when restricted level is public
merge_request: 22522
author: briankabiro
type: added
...@@ -186,4 +186,35 @@ describe 'Login' do ...@@ -186,4 +186,35 @@ describe 'Login' do
end end
end end
end end
describe 'restricted visibility levels' do
context 'contains public level' do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'hides Explore link' do
visit new_user_session_path
expect(page).to have_no_link("Explore")
end
it 'hides help link' do
visit new_user_session_path
expect(page).to have_no_link("Help")
end
end
context 'does not contain public level' do
it 'displays Explore and Help links' do
visit new_user_session_path
href = find_link("Help")[:href]
expect(href).to eq("/help")
expect(page).to have_link("Explore")
end
end
end
end end
# frozen_string_literal: true
require 'spec_helper'
describe 'Signup' do
context 'almost there page' do
context 'when public visibility is restricted' do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'hides Explore link' do
visit users_almost_there_path
expect(page).to have_no_link("Explore")
end
it 'hides help link' do
visit users_almost_there_path
expect(page).to have_no_link("Help")
end
end
end
end
...@@ -22,4 +22,18 @@ describe Explore::GroupsController do ...@@ -22,4 +22,18 @@ describe Explore::GroupsController do
expect(assigns(:groups)).to contain_exactly(member_of_group, public_group) expect(assigns(:groups)).to contain_exactly(member_of_group, public_group)
end end
context 'restricted visibility level is public' do
before do
sign_out(user)
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'redirects to login page' do
get :index
expect(response).to redirect_to new_user_session_path
end
end
end end
...@@ -171,5 +171,17 @@ describe Explore::ProjectsController do ...@@ -171,5 +171,17 @@ describe Explore::ProjectsController do
get :index, params: { sort: sorting_param } get :index, params: { sort: sorting_param }
end end
end end
context 'restricted visibility level is public' do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'redirects to login page' do
get :index
expect(response).to redirect_to new_user_session_path
end
end
end end
end end
...@@ -79,6 +79,20 @@ describe HelpController do ...@@ -79,6 +79,20 @@ describe HelpController do
expect(assigns[:help_index]).to eq '[protocol-relative](//example.com)' expect(assigns[:help_index]).to eq '[protocol-relative](//example.com)'
end end
end end
context 'restricted visibility set to public' do
before do
sign_out(user)
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'redirects to sign_in path' do
get :index
expect(response).to redirect_to(new_user_session_path)
end
end
end end
describe 'GET #show' do describe 'GET #show' do
......
...@@ -89,5 +89,17 @@ describe 'Explore Groups', :js do ...@@ -89,5 +89,17 @@ describe 'Explore Groups', :js do
end end
it_behaves_like 'renders group in public groups area' it_behaves_like 'renders group in public groups area'
context 'when visibility is restricted to public' do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it 'redirects to the sign in page' do
visit explore_groups_path
expect(page).to have_current_path(new_user_session_path)
end
end
end end
end end
...@@ -16,6 +16,17 @@ describe 'User explores projects' do ...@@ -16,6 +16,17 @@ describe 'User explores projects' do
include_examples 'shows public projects' include_examples 'shows public projects'
end end
context 'when visibility is restricted to public' do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
visit(explore_projects_path)
end
it 'redirects to login page' do
expect(page).to have_current_path(new_user_session_path)
end
end
end end
context 'when signed in' do context 'when signed in' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment