From 241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c Mon Sep 17 00:00:00 2001
From: Krasimir Angelov <kangelov@gitlab.com>
Date: Fri, 3 May 2019 13:29:20 +0000
Subject: Allow guests users to access project releases

This is step one of resolving
https://gitlab.com/gitlab-org/gitlab-ce/issues/56838.

Here is what changed:
- Revert the security fix from bdee9e8412d.
- Do not leak repository information (tag name, commit) to guests in API
responses.
- Do not include links to source code in API responses for users that do
not have download_code access.
- Show Releases in sidebar for guests.
- Do not display links to source code under Assets for users that do not
have download_code access.

GET ':id/releases/:tag_name' still do not allow guests to access
releases. This is to prevent guessing tag existence.
---
 lib/api/releases.rb | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'lib/api/releases.rb')

diff --git a/lib/api/releases.rb b/lib/api/releases.rb
index cb85028f22c..6b17f4317db 100644
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -23,7 +23,7 @@ module API
       get ':id/releases' do
         releases = ::ReleasesFinder.new(user_project, current_user).execute
 
-        present paginate(releases), with: Entities::Release
+        present paginate(releases), with: Entities::Release, current_user: current_user
       end
 
       desc 'Get a single project release' do
@@ -34,9 +34,9 @@ module API
         requires :tag_name, type: String, desc: 'The name of the tag', as: :tag
       end
       get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMETS do
-        authorize_read_release!
+        authorize_download_code!
 
-        present release, with: Entities::Release
+        present release, with: Entities::Release, current_user: current_user
       end
 
       desc 'Create a new release' do
@@ -63,7 +63,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -86,7 +86,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -107,7 +107,7 @@ module API
           .execute
 
         if result[:status] == :success
-          present result[:release], with: Entities::Release
+          present result[:release], with: Entities::Release, current_user: current_user
         else
           render_api_error!(result[:message], result[:http_status])
         end
@@ -135,6 +135,10 @@ module API
         authorize! :destroy_release, release
       end
 
+      def authorize_download_code!
+        authorize! :download_code, release
+      end
+
       def release
         @release ||= user_project.releases.find_by_tag(params[:tag])
       end
-- 
cgit v1.2.1