Disable "explore" and "help"
Description
Some organizations prefer to have all GitLab related data private, currently on the sign-in page we offer two links that can be accessed by non-authenticated users.
/help/explore
There's also /public and /explore/groups.
Proposal
- When the Public option is set as a restricted visibility setting in
/admin/application_settings, require authentication for/explore,/help, and/publicfor non-authenticated users. - When selected:
- Redirect unauthenticated users to the sign in page.
- Remove the Explore link from the sign in page.
- Redirect an unauthenticated user attempting to access
/helpto https://docs.gitlab.com/.
Links / references
- https://gitlab.com/gitlab-org/gitlab-ce/issues/12658 (discussed)
- https://gitlab.zendesk.com/agent/tickets/76430
Workaround - taken from https://gitlab.com/gitlab-org/gitlab-ce/issues/12658#note_4346566
Only applies to explore
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 99a45e5..7a08f0c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base
before_action :authenticate_user_from_private_token!
before_action :authenticate_user!
before_action :validate_user_service_ticket!
+ before_action :force_authenticated_user!
before_action :check_password_expiration
before_action :ldap_security_check
before_action :sentry_context
@@ -87,6 +88,12 @@ class ApplicationController < ActionController::Base
logger.error "\n#{exception.class.name} (#{exception.message}):\n#{application_trace.join}"
end
+ def force_authenticated_user!(*args)
+ if (!current_user) and (["/users/sign_in", "/users/password/new", "/users/password", "/users/password/edit"].exclude?(request.path))
+ redirect_to new_user_session_path and return
+ end
+ end
+
def after_sign_in_path_for(resource)
stored_location_for(:redirect) || stored_location_for(resource) || root_path
end