Commit 5dfec1ce authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch '10-8-stable-patch-4' into '10-8-stable'

Prepare 10.8.4 release

See merge request !19472
parents 564c3424 94badb64
Pipeline #23352474 passed with stages
in 81 minutes and 41 seconds
...@@ -130,12 +130,17 @@ class ApplicationController < ActionController::Base ...@@ -130,12 +130,17 @@ class ApplicationController < ActionController::Base
end end
def access_denied!(message = nil) def access_denied!(message = nil)
# If we display a custom access denied message to the user, we don't want to
# hide existence of the resource, rather tell them they cannot access it using
# the provided message
status = message.present? ? :forbidden : :not_found
respond_to do |format| respond_to do |format|
format.any { head :not_found } format.any { head status }
format.html do format.html do
render "errors/access_denied", render "errors/access_denied",
layout: "errors", layout: "errors",
status: 404, status: status,
locals: { message: message } locals: { message: message }
end end
end end
......
...@@ -46,6 +46,9 @@ module Projects ...@@ -46,6 +46,9 @@ module Projects
yield(@project) if block_given? yield(@project) if block_given?
# If the block added errors, don't try to save the project
return @project if @project.errors.any?
@project.creator = current_user @project.creator = current_user
if forked_from_project_id if forked_from_project_id
......
...@@ -17,6 +17,11 @@ module Projects ...@@ -17,6 +17,11 @@ module Projects
ensure_wiki_exists if enabling_wiki? ensure_wiki_exists if enabling_wiki?
yield if block_given?
# If the block added errors, don't try to save the project
return validation_failed! if project.errors.any?
if project.update_attributes(params.except(:default_branch)) if project.update_attributes(params.except(:default_branch))
if project.previous_changes.include?('path') if project.previous_changes.include?('path')
project.rename_repo project.rename_repo
...@@ -28,10 +33,7 @@ module Projects ...@@ -28,10 +33,7 @@ module Projects
success success
else else
model_errors = project.errors.full_messages.to_sentence validation_failed!
error_message = model_errors.presence || 'Project could not be updated!'
error(error_message)
end end
end end
...@@ -43,6 +45,13 @@ module Projects ...@@ -43,6 +45,13 @@ module Projects
private private
def validation_failed!
model_errors = project.errors.full_messages.to_sentence
error_message = model_errors.presence || 'Project could not be updated!'
error(error_message)
end
def renaming_project_with_container_registry_tags? def renaming_project_with_container_registry_tags?
new_path = params[:path] new_path = params[:path]
......
...@@ -469,4 +469,28 @@ describe ApplicationController do ...@@ -469,4 +469,28 @@ describe ApplicationController do
end end
end end
end end
describe '#access_denied' do
controller(described_class) do
def index
access_denied!(params[:message])
end
end
before do
sign_in user
end
it 'renders a 404 without a message' do
get :index
expect(response).to have_gitlab_http_status(404)
end
it 'renders a 403 when a message is passed to access denied' do
get :index, message: 'None shall pass'
expect(response).to have_gitlab_http_status(403)
end
end
end end
...@@ -43,13 +43,13 @@ describe ControllerWithCrossProjectAccessCheck do ...@@ -43,13 +43,13 @@ describe ControllerWithCrossProjectAccessCheck do
end end
end end
it 'renders a 404 with trying to access a cross project page' do it 'renders a 403 with trying to access a cross project page' do
message = "This page is unavailable because you are not allowed to read "\ message = "This page is unavailable because you are not allowed to read "\
"information across multiple projects." "information across multiple projects."
get :index get :index
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
expect(response.body).to match(/#{message}/) expect(response.body).to match(/#{message}/)
end end
...@@ -119,7 +119,7 @@ describe ControllerWithCrossProjectAccessCheck do ...@@ -119,7 +119,7 @@ describe ControllerWithCrossProjectAccessCheck do
get :index get :index
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
end end
it 'is executed when the `unless` condition returns true' do it 'is executed when the `unless` condition returns true' do
...@@ -127,19 +127,19 @@ describe ControllerWithCrossProjectAccessCheck do ...@@ -127,19 +127,19 @@ describe ControllerWithCrossProjectAccessCheck do
get :index get :index
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
end end
it 'does not skip the check on an action that is not skipped' do it 'does not skip the check on an action that is not skipped' do
get :show, id: 'hello' get :show, id: 'hello'
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
end end
it 'does not skip the check on an action that was not defined to skip' do it 'does not skip the check on an action that was not defined to skip' do
get :edit, id: 'hello' get :edit, id: 'hello'
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
end end
end end
end end
......
...@@ -32,7 +32,7 @@ describe SearchController do ...@@ -32,7 +32,7 @@ describe SearchController do
it 'still blocks searches without a project_id' do it 'still blocks searches without a project_id' do
get :show, search: 'hello' get :show, search: 'hello'
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(403)
end end
it 'allows searches with a project_id' do it 'allows searches with a project_id' do
......
...@@ -30,7 +30,9 @@ describe API::Settings, 'Settings' do ...@@ -30,7 +30,9 @@ describe API::Settings, 'Settings' do
describe "PUT /application/settings" do describe "PUT /application/settings" do
context "custom repository storage type set in the config" do context "custom repository storage type set in the config" do
before do before do
storages = { 'custom' => 'tmp/tests/custom_repositories' } # Add a possible storage to the config
storages = Gitlab.config.repositories.storages
.merge({ 'custom' => 'tmp/tests/custom_repositories' })
allow(Gitlab.config.repositories).to receive(:storages).and_return(storages) allow(Gitlab.config.repositories).to receive(:storages).and_return(storages)
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment