Merge branch '346510-fix-anonymous-searches-restriction' into 'master'

Fix global anonymous searches restriction See merge request gitlab-org/gitlab!75875

Merge branch '346510-fix-anonymous-searches-restriction' into 'master'
Fix global anonymous searches restriction See merge request gitlab-org/gitlab!75875
733ba47f · Mark Chao · d94ebdd4 · de1fc6f1 · 733ba47f · 733ba47f
Commit 733ba47f authored Dec 06, 2021 by Mark Chao
3 changed files
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -150,7 +150,7 @@ class SearchController < ApplicationController
  end
  def block_anonymous_global_searches
-    return if params[:project_id].present? || params[:group_id].present?
+    return unless search_service.global_search?
    return if current_user
    return unless ::Feature.enabled?(:block_anonymous_global_searches, type: :ops)
@@ -160,7 +160,7 @@ class SearchController < ApplicationController
  end
  def check_scope_global_search_enabled
-    return if params[:project_id].present? || params[:group_id].present?
+    return unless search_service.global_search?
    search_allowed = case params[:scope]
                     when 'blobs'

--- a/app/services/search_service.rb
+++ b/app/services/search_service.rb
@@ -45,6 +45,10 @@ class SearchService
    # overridden in EE
  end
+  def global_search?
+    project.blank? && group.blank?
+  end
  def show_snippets?
    return @show_snippets if defined?(@show_snippets)

--- a/spec/controllers/search_controller_spec.rb
+++ b/spec/controllers/search_controller_spec.rb
@@ -172,6 +172,12 @@ RSpec.describe SearchController do
              expect(response).to redirect_to new_user_session_path
            end
+            it 'redirects to login page when trying to circumvent the restriction' do
+              get :show, params: { scope: 'projects', project_id: non_existing_record_id, search: '*' }
+              expect(response).to redirect_to new_user_session_path
+            end
          end
          context 'for authenticated user' do