Add latest changes from gitlab-org/gitlab@master

9 files changed, 22 insertions, 13 deletions

diff --git a/lib/api/branches.rb b/lib/api/branches.rb
index 5ae1a80a7fd..c5ea3a2d3ad 100644
--- a/lib/api/branches.rb
+++ b/lib/api/branches.rb
@@ -14,7 +14,7 @@ module API
 
     before do
       require_repository_enabled!
-      authorize! :read_code, user_project
+      authorize_read_code!
     end
 
     rescue_from Gitlab::Git::Repository::NoRepository do
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index f884dde3552..7a86c995f1a 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -9,7 +9,7 @@ module API
 
     before do
       require_repository_enabled!
-      authorize! :read_code, user_project
+      authorize_read_code!
 
       verify_pagination_params!
     end
diff --git a/lib/api/files.rb b/lib/api/files.rb
index 1850413caa6..45e935d7ea2 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -30,7 +30,7 @@ module API
       end
 
       def assign_file_vars!
-        authorize! :read_code, user_project
+        authorize_read_code!
 
         @commit = user_project.commit(params[:ref])
         not_found!('Commit') unless @commit
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 74c740f47cc..e55452fd07b 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -332,6 +332,10 @@ module API
       authorize! :read_build, user_project
     end
 
+    def authorize_read_code!
+      authorize! :read_code, user_project
+    end
+
     def authorize_read_build_trace!(build)
       authorize! :read_build_trace, build
     end
diff --git a/lib/api/lint.rb b/lib/api/lint.rb
index 0dd06d27aeb..15ccf0da0b9 100644
--- a/lib/api/lint.rb
+++ b/lib/api/lint.rb
@@ -28,6 +28,7 @@ module API
       end
 
       post '/lint', urgency: :low do
+        render_api_error!('410 Gone', 410) unless Feature.disabled?(:ci_remove_post_lint, current_user)
         unauthorized! unless can_lint_ci?
 
         result = Gitlab::Ci::Lint.new(project: nil, current_user: current_user)
@@ -56,7 +57,7 @@ module API
       end
 
       get ':id/ci/lint', urgency: :low do
-        authorize! :read_code, user_project
+        authorize_read_code!
 
         if user_project.commit.present?
           content = user_project.repository.gitlab_ci_yml_for(user_project.commit.id, user_project.ci_config_path_or_default)
diff --git a/lib/api/protected_branches.rb b/lib/api/protected_branches.rb
index a50208d78d7..3d9abe23638 100644
--- a/lib/api/protected_branches.rb
+++ b/lib/api/protected_branches.rb
@@ -6,8 +6,6 @@ module API
 
     BRANCH_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX)
 
-    before { authorize_admin_project }
-
     feature_category :source_code_management
 
     helpers Helpers::ProtectedBranchesHelpers
@@ -33,6 +31,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/protected_branches' do
+        authorize_read_code!
+
         protected_branches =
           ProtectedBranchesFinder
             .new(user_project, params)
@@ -55,6 +55,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS do
+        authorize_read_code!
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         present protected_branch, with: Entities::ProtectedBranch, project: user_project
@@ -86,6 +88,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       post ':id/protected_branches' do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by(name: params[:name])
 
         if protected_branch
@@ -123,6 +127,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       patch ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         declared_params = declared_params(include_missing: false)
@@ -150,6 +156,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       delete ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS, urgency: :low do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         destroy_conditionally!(protected_branch) do
diff --git a/lib/api/releases.rb b/lib/api/releases.rb
index ebf1c03e86b..0b31a3e0309 100644
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -387,10 +387,6 @@ module API
         authorize! :download_code, user_project
       end
 
-      def authorize_read_code!
-        authorize! :read_code, user_project
-      end
-
       def authorize_create_evidence!
         # extended in EE
       end
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 6f8d34ea387..295d1d5ab16 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -41,7 +41,7 @@ module API
       end
     end
 
-    before { authorize! :read_code, user_project }
+    before { authorize_read_code! }
 
     feature_category :source_code_management
 
@@ -63,7 +63,7 @@ module API
         end
 
         def assign_blob_vars!(limit:)
-          authorize! :read_code, user_project
+          authorize_read_code!
 
           @repo = user_project.repository
 
diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index f918fb997bf..42b63af59e0 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -7,7 +7,7 @@ module API
     TAG_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
 
     before do
-      authorize! :read_code, user_project
+      authorize_read_code!
 
       not_found! unless user_project.repo_exists?
     end