diff options
| -rw-r--r-- | app/controllers/application_controller.rb | 7 | ||||
| -rw-r--r-- | app/policies/global_policy.rb | 4 | ||||
| -rw-r--r-- | spec/controllers/application_controller_spec.rb | 28 | ||||
| -rw-r--r-- | spec/policies/global_policy_spec.rb | 14 |
4 files changed, 52 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0fdd4d2cb47..f288eb8c59f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base before_action :authenticate_sessionless_user! before_action :authenticate_user! + before_action :authorize_access_web! before_action :validate_user_service_ticket! before_action :check_password_expiration before_action :ldap_security_check @@ -268,6 +269,12 @@ class ApplicationController < ActionController::Base end end + def authorize_access_web! + unless can?(current_user, :access_web) + render_403 + end + end + def import_sources_enabled? !Gitlab::CurrentSettings.import_sources.empty? end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 64e550d19d0..72ef0888438 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -26,14 +26,16 @@ class GlobalPolicy < BasePolicy enable :log_in enable :access_api enable :access_git + enable :access_web enable :receive_notifications enable :use_quick_actions end - rule { blocked | internal }.policy do + rule { ~anonymous & (blocked | internal) }.policy do prevent :log_in prevent :access_api prevent :access_git + prevent :access_web prevent :receive_notifications prevent :use_quick_actions end diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index fe95d1ef9cd..eacf2d7a589 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -406,4 +406,32 @@ describe ApplicationController do end end end + + context 'access to the web application' do + controller(described_class) do + def index + render nothing: true + end + end + + before do + sign_in(user) + end + + it 'renders 200 when the user has access' do + expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { true } + + get :index + + expect(response).to have_gitlab_http_status(:success) + end + + it 'renders 403 when the user does not have access' do + expect(Ability).to receive(:allowed?).with(user, :access_web, :global) { false } + + get :index + + expect(response).to have_gitlab_http_status(:forbidden) + end + end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 5b8cf2e6ab5..31cda8722d6 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -88,4 +88,18 @@ describe GlobalPolicy do it { is_expected.to be_allowed(:update_custom_attribute) } end end + + describe 'accessing the web application' do + context 'anonymous users' do + let(:current_user) { nil } + + it { is_expected.to be_allowed(:access_web) } + end + + context 'blocked users' do + let(:current_user) { create(:user, :blocked) } + + it { is_expected.not_to be_allowed(:access_web) } + end + end end |