Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-02-01 11:59:34 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-02-01 11:59:34 +0300
commit: 41b1c0469dba622a1c2c67c17f1f5e491573accf (patch)
tree: 09f095297054f3f5077059ded4cd066bd257e052 /app
parent: 7248f8bff5a90f3ff570c368310c361e1f4e9092 (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index a6e795a2b91..614bada09ed 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
   before_action :require_non_empty_project, except: [:index]
   before_action :release, only: %i[edit show update downloads]
   before_action :authorize_read_release!
+  # We have to check `download_code` permission because detail URL path
+  # contains git-tag name.
+  before_action :authorize_download_code!, except: [:index]
   before_action do
     push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true)
     push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true)
diff --git a/app/presenters/release_presenter.rb b/app/presenters/release_presenter.rb
index b11585d0d1c..aa6429ab012 100644
--- a/app/presenters/release_presenter.rb
+++ b/app/presenters/release_presenter.rb
@@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
   end
 
   def self_url
+    return unless can_download_code?
+
     project_release_url(project, release)
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-02-01 11:59:34 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-02-01 11:59:34 +0300
commit	41b1c0469dba622a1c2c67c17f1f5e491573accf (patch)
tree	09f095297054f3f5077059ded4cd066bd257e052 /app
parent	7248f8bff5a90f3ff570c368310c361e1f4e9092 (diff)