Commit e2be8c82 authored by Nourdin el Bacha's avatar Nourdin el Bacha Committed by Markus Koller

Conditionally render create project button

This commit checks whether the current user is allowed to create a
project prior to rendering the button.
It also return a `404` error for the Project#new method when the current
user is not allowed to create a new project.

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/333450

Changelog: fixed
parent 2afa9308
......@@ -54,6 +54,8 @@ class ProjectsController < Projects::ApplicationController
# rubocop: disable CodeReuse/ActiveRecord
def new
return access_denied! unless current_user.can_create_project?
@namespace = Namespace.find_by(id: params[:namespace_id]) if params[:namespace_id]
return access_denied! if @namespace && !can?(current_user, :create_projects, @namespace)
......
......@@ -267,7 +267,11 @@ module Nav
builder.add_primary_menu_item(id: 'your', title: _('Your projects'), href: dashboard_projects_path)
builder.add_primary_menu_item(id: 'starred', title: _('Starred projects'), href: starred_dashboard_projects_path)
builder.add_primary_menu_item(id: 'explore', title: _('Explore projects'), href: explore_root_path)
builder.add_secondary_menu_item(id: 'create', title: _('Create new project'), href: new_project_path)
if current_user.can_create_project?
builder.add_secondary_menu_item(id: 'create', title: _('Create new project'), href: new_project_path)
end
builder.build
end
......
......@@ -42,6 +42,32 @@ RSpec.describe ProjectsController do
expect(response).not_to render_template('new')
end
end
context 'when user is an external user' do
let_it_be(:user) { create(:user, external: true) }
it 'responds with status 404' do
group.add_owner(user)
get :new, params: { namespace_id: group.id }
expect(response).to have_gitlab_http_status(:not_found)
expect(response).not_to render_template('new')
end
end
context 'when user is a group guest' do
let_it_be(:user) { create(:user) }
it 'responds with status 404' do
group.add_guest(user)
get :new, params: { namespace_id: group.id }
expect(response).to have_gitlab_http_status(:not_found)
expect(response).not_to render_template('new')
end
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment