Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-29 11:18:56 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-04-29 11:19:12 +0300
commit: 7b1c7e980459210bea3f967cbc6b1c797c1ff658 (patch)
tree: 74f3c3392bf8e887a73bb570d27419bfc65c0093 /lib/gitlab/git_access_wiki.rb
parent: deb2f3a60831afda2ad7ec144eb58aaf269abe58 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb
index f8f61511265..fdd7e8a8c4a 100644
--- a/lib/gitlab/git_access_wiki.rb
+++ b/lib/gitlab/git_access_wiki.rb
@@ -31,7 +31,8 @@ module Gitlab
     def check_download_access!
       super
 
-      raise ForbiddenError, download_forbidden_message if deploy_token && !deploy_token.can?(:download_wiki_code, container)
+      raise ForbiddenError, download_forbidden_message if build_cannot_download?
+      raise ForbiddenError, download_forbidden_message if deploy_token_cannot_download?
     end
 
     override :check_change_access!
@@ -52,6 +53,17 @@ module Gitlab
     def not_found_message
       error_message(:not_found)
     end
+
+    private
+
+    # when accessing via the CI_JOB_TOKEN
+    def build_cannot_download?
+      build_can_download_code? && !user_access.can_do_action?(download_ability)
+    end
+
+    def deploy_token_cannot_download?
+      deploy_token && !deploy_token.can?(download_ability, container)
+    end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-29 11:18:56 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-04-29 11:19:12 +0300
commit	7b1c7e980459210bea3f967cbc6b1c797c1ff658 (patch)
tree	74f3c3392bf8e887a73bb570d27419bfc65c0093 /lib/gitlab/git_access_wiki.rb
parent	deb2f3a60831afda2ad7ec144eb58aaf269abe58 (diff)