From 846e581732e291f8927d04a5b1b40fe8f2688885 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 28 Feb 2017 13:08:07 -0800
Subject: use a magic default :global symbol instead of nil

to make sure we mean the global permissions
---
 lib/api/helpers.rb                         | 4 ++--
 lib/api/users.rb                           | 2 +-
 lib/banzai/reference_parser/base_parser.rb | 2 +-
 lib/gitlab/allowable.rb                    | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'lib')

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index a9b364da9e1..e5f5de2af57 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -116,7 +116,7 @@ module API
       forbidden! unless current_user.is_admin?
     end
 
-    def authorize!(action, subject = nil)
+    def authorize!(action, subject = :global)
       forbidden! unless can?(current_user, action, subject)
     end
 
@@ -134,7 +134,7 @@ module API
       end
     end
 
-    def can?(object, action, subject)
+    def can?(object, action, subject = :global)
       Ability.allowed?(object, action, subject)
     end
 
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 549003f576a..2d4d5a25221 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -45,7 +45,7 @@ module API
         use :pagination
       end
       get do
-        unless can?(current_user, :read_users_list, nil)
+        unless can?(current_user, :read_users_list)
           render_api_error!("Not authorized.", 403)
         end
 
diff --git a/lib/banzai/reference_parser/base_parser.rb b/lib/banzai/reference_parser/base_parser.rb
index 2058a58d0ae..b121c37c5d0 100644
--- a/lib/banzai/reference_parser/base_parser.rb
+++ b/lib/banzai/reference_parser/base_parser.rb
@@ -210,7 +210,7 @@ module Banzai
           grouped_objects_for_nodes(nodes, Project, 'data-project')
       end
 
-      def can?(user, permission, subject)
+      def can?(user, permission, subject = :global)
         Ability.allowed?(user, permission, subject)
       end
 
diff --git a/lib/gitlab/allowable.rb b/lib/gitlab/allowable.rb
index f48abcc86d5..e4f7cad2b79 100644
--- a/lib/gitlab/allowable.rb
+++ b/lib/gitlab/allowable.rb
@@ -1,6 +1,6 @@
 module Gitlab
   module Allowable
-    def can?(user, action, subject)
+    def can?(user, action, subject = :global)
       Ability.allowed?(user, action, subject)
     end
   end
-- 
cgit v1.2.3


From 0ea04cc5bfcc125875a6e0f46702389f0e2e19c0 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 28 Feb 2017 13:19:52 -0800
Subject: use the policy stack to protect logins

---
 lib/api/helpers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index e5f5de2af57..bd22b82476b 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -97,7 +97,7 @@ module API
     end
 
     def authenticate!
-      unauthorized! unless current_user
+      unauthorized! unless current_user && can?(current_user, :access_api)
     end
 
     def authenticate_non_get!
-- 
cgit v1.2.3


From 145f6fd0b9bb2428ee9f5445efe7cb0b91ca8712 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 28 Feb 2017 13:37:35 -0800
Subject: protect git access through the policy infra

---
 lib/gitlab/user_access.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 6ce9b229294..3078b134bb3 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -63,7 +63,7 @@ module Gitlab
     private
 
     def no_user_or_blocked?
-      user.nil? || user.blocked?
+      user.nil? || !user.can?(:access_git)
     end
   end
 end
-- 
cgit v1.2.3


From 90d924dc390693892a596659aa1a38b0432f6e40 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Thu, 9 Mar 2017 13:59:19 -0800
Subject: reverse the logic and use a clearer name

---
 lib/gitlab/user_access.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'lib')

diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 3078b134bb3..f260c0c535f 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -8,7 +8,7 @@ module Gitlab
     end
 
     def can_do_action?(action)
-      return false if no_user_or_blocked?
+      return false unless can_access_git?
 
       @permission_cache ||= {}
       @permission_cache[action] ||= user.can?(action, project)
@@ -19,7 +19,7 @@ module Gitlab
     end
 
     def allowed?
-      return false if no_user_or_blocked?
+      return false unless can_access_git?
 
       if user.requires_ldap_check? && user.try_obtain_ldap_lease
         return false unless Gitlab::LDAP::Access.allowed?(user)
@@ -29,7 +29,7 @@ module Gitlab
     end
 
     def can_push_to_branch?(ref)
-      return false if no_user_or_blocked?
+      return false unless can_access_git?
 
       if project.protected_branch?(ref)
         return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
@@ -44,7 +44,7 @@ module Gitlab
     end
 
     def can_merge_to_branch?(ref)
-      return false if no_user_or_blocked?
+      return false unless can_access_git?
 
       if project.protected_branch?(ref)
         access_levels = project.protected_branches.matching(ref).map(&:merge_access_levels).flatten
@@ -55,15 +55,15 @@ module Gitlab
     end
 
     def can_read_project?
-      return false if no_user_or_blocked?
+      return false unless can_access_git?
 
       user.can?(:read_project, project)
     end
 
     private
 
-    def no_user_or_blocked?
-      user.nil? || !user.can?(:access_git)
+    def can_access_git?
+      user && user.can?(:access_git)
     end
   end
 end
-- 
cgit v1.2.3