Merge branch 'fix-lfs-object-access-check' into 'master'

Fix LFS object access check

Added tests for the fix started in gitlab-org/gitlab-ce!7417, since the scenario is EE specific.

Fixes gitlab-org/gitlab-ce#24392

cc @stanhu @ahanselka

See merge request !865

app/controllers/projects/lfs_api_controller.rb

@@ -31,10 +31,6 @@ class Projects::LfsApiController < Projects::GitHttpClientController
 
   private
 
-  def objects
-    @objects ||= (params[:objects] || []).to_a
-  end
-
   def existing_oids
     @existing_oids ||= begin
       storage_project.lfs_objects.where(oid: objects.map { |o| o['oid'].to_s }).pluck(:oid)

app/helpers/lfs_helper.rb

@@ -34,6 +34,10 @@ module LfsHelper
     ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code?
   end
 
+  def objects
+    @objects ||= (params[:objects] || []).to_a
+  end
+
   def user_can_download_code?
     has_authentication_ability?(:download_code) && can?(user, :download_code, project)
   end

spec/requests/lfs_http_spec.rb

@@ -943,6 +943,17 @@ describe 'Git LFS API and storage' do
             end
           end
 
+          context 'and project has limit enabled but will stay under the limit' do
+            before do
+              allow_any_instance_of(Project).to receive_messages(actual_size_limit: 200, size_limit_enabled?: true)
+              put_finalize
+            end
+
+            it 'responds with status 200' do
+              expect(response).to have_http_status(200)
+            end
+          end
+
           context 'invalid tempfiles' do
             it 'rejects slashes in the tempfile name (path traversal' do
               put_finalize('foo/bar')