Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorKrasimir Angelov <kangelov@gitlab.com>2019-05-03 16:29:20 +0300
committerLin Jen-Shin <godfat@godfat.org>2019-05-03 16:29:20 +0300
commit241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree085737123336ffc4abbf65652a7365c191c8a64c /app
parent9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
Allow guests users to access project releases
This is step one of resolving https://gitlab.com/gitlab-org/gitlab-ce/issues/56838. Here is what changed: - Revert the security fix from bdee9e8412d. - Do not leak repository information (tag name, commit) to guests in API responses. - Do not include links to source code in API responses for users that do not have download_code access. - Show Releases in sidebar for guests. - Do not display links to source code under Assets for users that do not have download_code access. GET ':id/releases/:tag_name' still do not allow guests to access releases. This is to prevent guessing tag existence.
Diffstat (limited to 'app')
-rw-r--r--app/assets/javascripts/releases/components/release_block.vue4
-rw-r--r--app/helpers/projects_helper.rb5
-rw-r--r--app/models/release.rb7
-rw-r--r--app/policies/project_policy.rb2
4 files changed, 11 insertions, 7 deletions
diff --git a/app/assets/javascripts/releases/components/release_block.vue b/app/assets/javascripts/releases/components/release_block.vue
index 7ed1b407ddd..0958b9fa926 100644
--- a/app/assets/javascripts/releases/components/release_block.vue
+++ b/app/assets/javascripts/releases/components/release_block.vue
@@ -86,7 +86,7 @@ export default {
</div>
<div
- v-if="assets.links.length || assets.sources.length"
+ v-if="assets.links.length || (assets.sources && assets.sources.length)"
class="card-text prepend-top-default"
>
<b>
@@ -103,7 +103,7 @@ export default {
</li>
</ul>
- <div v-if="assets.sources.length" class="dropdown">
+ <div v-if="assets.sources && assets.sources.length" class="dropdown">
<button
type="button"
class="btn btn-link"
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 2ac90eb8d9f..8977ccaa9d8 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -318,8 +318,9 @@ module ProjectsHelper
def get_project_nav_tabs(project, current_user)
nav_tabs = [:home]
- if !project.empty_repo? && can?(current_user, :download_code, project)
- nav_tabs << [:files, :commits, :network, :graphs, :forks, :releases]
+ unless project.empty_repo?
+ nav_tabs << [:files, :commits, :network, :graphs, :forks] if can?(current_user, :download_code, project)
+ nav_tabs << :releases if can?(current_user, :read_release, project)
end
if project.repo_exists? && can?(current_user, :read_merge_request, project)
diff --git a/app/models/release.rb b/app/models/release.rb
index 0f9e94373c7..7bbeb3c9976 100644
--- a/app/models/release.rb
+++ b/app/models/release.rb
@@ -31,8 +31,11 @@ class Release < ApplicationRecord
actual_tag.nil?
end
- def assets_count
- links.count + sources.count
+ def assets_count(except: [])
+ links_count = links.count
+ sources_count = except.include?(:sources) ? 0 : sources.count
+
+ links_count + sources_count
end
def sources
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index ba38af9c529..76544249688 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -186,6 +186,7 @@ class ProjectPolicy < BasePolicy
enable :read_cycle_analytics
enable :award_emoji
enable :read_pages_content
+ enable :read_release
end
# These abilities are not allowed to admins that are not members of the project,
@@ -212,7 +213,6 @@ class ProjectPolicy < BasePolicy
enable :read_deployment
enable :read_merge_request
enable :read_sentry_issue
- enable :read_release
enable :read_prometheus
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 13:48:24 +0300