Merge branch 'bvl-403-for-external-auth-service-ce' into 'master'

[CE-backbport] Render a 403 when showing an access denied message See merge request gitlab-org/gitlab-ce!19415
author: Douwe Maan <douwe@gitlab.com> 2018-06-05 18:27:00 +0300
committer: Douwe Maan <douwe@gitlab.com> 2018-06-05 18:27:00 +0300
commit: 1fd2c6460d0d8ff3167fb742b41a4b010cc7ad8b (patch)
tree: 14688be718b8c381398025de364c0bffb93478c8 /app/controllers
parent: 0a5f3aa37833fe6365fc8ab7af8912d15b4d844a (diff)
parent: 491e1fc905ef52dcc2e7df7deabd3c1f6e42aa52 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index db8a8cdc0d2..bc60a0a02e8 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -130,12 +130,17 @@ class ApplicationController < ActionController::Base
   end
 
   def access_denied!(message = nil)
+    # If we display a custom access denied message to the user, we don't want to
+    # hide existence of the resource, rather tell them they cannot access it using
+    # the provided message
+    status = message.present? ? :forbidden : :not_found
+
     respond_to do |format|
-      format.any { head :not_found }
+      format.any { head status }
       format.html do
         render "errors/access_denied",
                layout: "errors",
-               status: 404,
+               status: status,
                locals: { message: message }
       end
     end
author	Douwe Maan <douwe@gitlab.com>	2018-06-05 18:27:00 +0300
committer	Douwe Maan <douwe@gitlab.com>	2018-06-05 18:27:00 +0300
commit	1fd2c6460d0d8ff3167fb742b41a4b010cc7ad8b (patch)
tree	14688be718b8c381398025de364c0bffb93478c8 /app/controllers
parent	0a5f3aa37833fe6365fc8ab7af8912d15b4d844a (diff)
parent	491e1fc905ef52dcc2e7df7deabd3c1f6e42aa52 (diff)