summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG1
-rw-r--r--app/models/ability.rb54
2 files changed, 32 insertions, 23 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 799856c91fa..d249a014802 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.14.0 (unreleased)
- Remove repository graph log to fix slow cache updates after push event (Stan Hu)
- Fix label read access for unauthenticated users (Daniel Gerhardt)
+ - Fix access to disabled features for unauthenticated users (Daniel Gerhardt)
- Fix OAuth provider bug where GitLab would not go return to the redirect_uri after sign-in (Stan Hu)
- Fix file upload dialog for comment editing (Daniel Gerhardt)
- Set OmniAuth full_host parameter to ensure redirect URIs are correct (Stan Hu)
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 7dab50d47d4..9258d981ac9 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -31,7 +31,7 @@ class Ability
end
if project && project.public?
- [
+ rules = [
:read_project,
:read_wiki,
:read_issue,
@@ -43,6 +43,8 @@ class Ability
:read_note,
:download_code
]
+
+ rules - project_disabled_features_rules(project)
else
group = if subject.kind_of?(Group)
subject
@@ -103,28 +105,7 @@ class Ability
rules -= project_archived_rules
end
- unless project.issues_enabled
- rules -= named_abilities('issue')
- end
-
- unless project.merge_requests_enabled
- rules -= named_abilities('merge_request')
- end
-
- unless project.issues_enabled or project.merge_requests_enabled
- rules -= named_abilities('label')
- rules -= named_abilities('milestone')
- end
-
- unless project.snippets_enabled
- rules -= named_abilities('project_snippet')
- end
-
- unless project.wiki_enabled
- rules -= named_abilities('wiki')
- end
-
- rules
+ rules - project_disabled_features_rules(project)
end
end
@@ -206,6 +187,33 @@ class Ability
]
end
+ def project_disabled_features_rules(project)
+ rules = []
+
+ unless project.issues_enabled
+ rules += named_abilities('issue')
+ end
+
+ unless project.merge_requests_enabled
+ rules += named_abilities('merge_request')
+ end
+
+ unless project.issues_enabled or project.merge_requests_enabled
+ rules += named_abilities('label')
+ rules += named_abilities('milestone')
+ end
+
+ unless project.snippets_enabled
+ rules += named_abilities('project_snippet')
+ end
+
+ unless project.wiki_enabled
+ rules += named_abilities('wiki')
+ end
+
+ rules
+ end
+
def group_abilities(user, group)
rules = []
View Lorry Controller Status