Merge branch 'security-11-4-refs-available-to-project-guest' into 'security-11-4'

[11.4] Project guests no longer are able to see refs page See merge request gitlab/gitlabhq!2688

Merge branch 'security-11-4-refs-available-to-project-guest' into 'security-11-4'
f43991c9 · John Jarvis · 34f442d7 · eb8bdaa6 · f43991c9 · f43991c9
Commit f43991c9 authored 6 years ago by John Jarvis
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -19,6 +19,7 @@ class ProjectsController < Projects::ApplicationController
  before_action :lfs_blob_ids, only: [:show], if: [:repo_exists?, :project_view_files?]
  before_action :project_export_enabled, only: [:export, :download_export, :remove_export, :generate_new_export]
  before_action :present_project, only: [:edit]
+  before_action :authorize_download_code!, only: [:refs]
  
  # Authorize
  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export, :remove_export, :generate_new_export]

--- a/changelogs/unreleased/security-refs-available-to-project-guest.yml
+++ b/changelogs/unreleased/security-refs-available-to-project-guest.yml
+---
+title: Project guests no longer are able to see refs page
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -590,10 +590,10 @@ describe ProjectsController do
  end
  
  describe "GET refs" do
-    let(:public_project) { create(:project, :public, :repository) }
+    let(:project) { create(:project, :public, :repository) }
  
    it 'gets a list of branches and tags' do
-      get :refs, namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc'
+      get :refs, namespace_id: project.namespace, id: project, sort: 'updated_desc'
  
      parsed_body = JSON.parse(response.body)
      expect(parsed_body['Branches']).to include('master')
@@ -603,7 +603,7 @@ describe ProjectsController do
    end
  
    it "gets a list of branches, tags and commits" do
-      get :refs, namespace_id: public_project.namespace, id: public_project, ref: "123456"
+      get :refs, namespace_id: project.namespace, id: project, ref: "123456"
  
      parsed_body = JSON.parse(response.body)
      expect(parsed_body["Branches"]).to include("master")
@@ -618,7 +618,7 @@ describe ProjectsController do
      end
  
      it "gets a list of branches, tags and commits" do
-        get :refs, namespace_id: public_project.namespace, id: public_project, ref: "123456"
+        get :refs, namespace_id: project.namespace, id: project, ref: "123456"
  
        parsed_body = JSON.parse(response.body)
        expect(parsed_body["Branches"]).to include("master")
@@ -626,6 +626,22 @@ describe ProjectsController do
        expect(parsed_body["Commits"]).to include("123456")
      end
    end
+
+    context 'when private project' do
+      let(:project) { create(:project, :repository) }
+
+      context 'as a guest' do
+        it 'renders forbidden' do
+          user = create(:user)
+          project.add_guest(user)
+
+          sign_in(user)
+          get :refs, namespace_id: project.namespace, id: project
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
  end
  
  describe 'POST #preview_markdown' do