From f7f13f9db0da92c7b43481dfe5559f317711e533 Mon Sep 17 00:00:00 2001 From: Bob Van Landuyt Date: Tue, 8 May 2018 15:07:55 +0200 Subject: Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. --- lib/api/api_guard.rb | 12 +++++++++- lib/gitlab/auth/user_access_denied_reason.rb | 33 ++++++++++++++++++++++++++++ lib/gitlab/git_access.rb | 6 ++--- 3 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 lib/gitlab/auth/user_access_denied_reason.rb (limited to 'lib') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index c2113551207..c17089759de 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -45,7 +45,9 @@ module API user = find_user_from_sources return unless user - forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api) + unless api_access_allowed?(user) + forbidden!(api_access_denied_message(user)) + end user end @@ -72,6 +74,14 @@ module API end end end + + def api_access_allowed?(user) + Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api) + end + + def api_access_denied_message(user) + Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message + end end module ClassMethods diff --git a/lib/gitlab/auth/user_access_denied_reason.rb b/lib/gitlab/auth/user_access_denied_reason.rb new file mode 100644 index 00000000000..af310aa12fc --- /dev/null +++ b/lib/gitlab/auth/user_access_denied_reason.rb @@ -0,0 +1,33 @@ +module Gitlab + module Auth + class UserAccessDeniedReason + def initialize(user) + @user = user + end + + def rejection_message + case rejection_type + when :internal + 'This action cannot be performed by internal users' + when :terms_not_accepted + 'You must accept the Terms of Service in order to perform this action. '\ + 'Please access GitLab from a web browser to accept these terms.' + else + 'Your account has been blocked.' + end + end + + private + + def rejection_type + if @user.internal? + :internal + elsif @user.required_terms_not_accepted? + :terms_not_accepted + else + :blocked + end + end + end + end +end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 0d1ee73ca1a..520b92a0363 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -2,8 +2,6 @@ # class return an instance of `GitlabAccessStatus` module Gitlab class GitAccess - include Gitlab::Utils::StrongMemoize - UnauthorizedError = Class.new(StandardError) NotFoundError = Class.new(StandardError) ProjectCreationError = Class.new(StandardError) @@ -17,7 +15,6 @@ module Gitlab deploy_key_upload: 'This deploy key does not have write access to this project.', no_repo: 'A repository for this project does not exist yet.', project_not_found: 'The project you were looking for could not be found.', - account_blocked: 'Your account has been blocked.', command_not_allowed: "The command you're trying to execute is not allowed.", upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.', receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.', @@ -109,7 +106,8 @@ module Gitlab def check_active_user! if user && !user_access.allowed? - raise UnauthorizedError, ERROR_MESSAGES[:account_blocked] + message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message + raise UnauthorizedError, message end end -- cgit v1.2.1