Labels page Access Denied (error 403)

Hi,

No access to the labels of the page while I am the owner of the project :)

Thx

Is this reproducible on gitlab.com? Which version are you using?

Not sure if it's everyone, but we're affected by it too (gitlab.com, free private).

Finally, the problem is present in private and internal for me

Are you accessing the "Labels" button on the sidebar and getting the 403? Or are you accessing the page some other way?

I just created a new private project on gitlab.com and had no issues going to the be Labels button or creating a new label. If you create a new project, does the same issue happen?

@stanhu I use the link "Labels" in the sidebar and I get an error 403 on private and internal projects already created. Indeed, I have no problem with a new project.

@stanhu I've added you to my private project so you can see the problem : https://gitlab.com/thelinuxfr/start.lietart.fr/labels

@thelinuxfr Thanks, that is really quite odd. It looks like a regression indeed. If this were a permission issue, I would expect to see a 404 error, but instead we see the 403 Access Denied page. My guess is that there is some error, and the catch-all is just showing that page.

@jacobvosmaer, could you check the server logs to see what is going on here?

@stanhu what do you want me to search for?

Someone at the meetup yesterday mentioned this to me.

HMM when I load https://gitlab.com/thelinuxfr/start.lietart.fr/labels as an admin and look in the Chrome web inspector, the HTTP response code is 404, even though the page says 403. @thelinuxfr do you get HTTP code 404 too?

production.log: Started GET "/thelinuxfr/start.lietart.fr/labels" for 24.132.139.90 at 2015-06-17 12:15:22 +0000
production.log: Processing by Projects::LabelsController#index as HTML
production.log:   Parameters: {"namespace_id"=>"thelinuxfr", "project_id"=>"start.lietart.fr"}
production.log: Filter chain halted as :authorize_labels! rendered or redirected
production.log: Completed 404 Not Found in 128ms (Views: 36.3ms | ActiveRecord: 10.1ms)

Created #1824 (moved) for 404/403 confusion.

@jacobvosmaer Yes, I also see what you see.

Also interesting to note: if I enable the merge requests feature on the project, the labels page works fine. I suspect this may be a regression from 9bcd3639, but I can't explain why yet.

/cc: @DouweM

Oh, I see the problem in application_controller.rb:

 def authorize_project!(action)
    return access_denied! unless can?(current_user, action, project)
  end

  def authorize_labels!
    # Labels should be accessible for issues and/or merge requests
    authorize_read_issue! || authorize_read_merge_request!
  end

If merge requests are disabled, the user does not have access to read them, and this code will return Access Denied. Do we need to check if the features are enabled here?

OK so the project at https://gitlab.com/thelinuxfr/start.lietart.fr has neither issues nor MRs enabled?

It has issues enabled, but MRs disabled. The permissions check was refactored so that can?(current_user, :read_merge_request, project) will fail if merge requests are disabled.

Actually, I think the solution is simple now that the permission checks have been refactored:

 def authorize_labels!
    can?(current_user, :admin_label, project)
  end

I'll send a MR.

Thanks @stanhu, looking forward to it.

Enabling MRs does indeed (temp.) fix the problem on our repo

mentioned in merge request !836 (merged)

!836 (merged) should fix the issue.

mentioned in issue #1810 (closed)

Status changed to closed by commit 07efb17e

Status changed to reopened

Reopening because the fix is not in 7-12-stable yet.

mentioned in merge request !842 (merged)

@jacobvosmaer It will be when you accept !842 (merged) :)

Thanks @DouweM

Status changed to closed

mentioned in commit maxraab/gitlab-ce@b8fd21f9