Skip to content

Use devise authenticate_user! for search controller

Madelein van Niekerkrequested to merge
501305-use-devise-redirect-for-search-controller into master

What does this MR do and why?

Updates the way the search controller authenticates users per #501305 (closed).

It changes so that we authenticate users for search requests:

  • when the public visibility level is restricted
  • when the allow_anonymous_searches flag is disabled (existing check)
  • when the block_anonymous_global_searches feature flag is enabled - for global search scope only (existing check)

We use the devise authenticate_user! check which handles redirect based on the setup, for example if SSO is setup it would redirect to the SSO page instead of /users/sign_in which could contain banners and information customers don't want to expose.

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Open an incognito tab at <gdk url>/search:

  1. if none of the flags/settings require authentication, note that search is available 
    ::Gitlab::CurrentSettings.update!(restricted_visibility_levels: [])
Feature.enable(:allow_anonymous_searches)
Feature.disable(:block_anonymous_global_searches)
  2. if public visibility is restricted, you get redirected 
    ::Gitlab::CurrentSettings.update!(restricted_visibility_levels: [20])
  3. if allow_anonymous_searches is disabled, you get redirected 
    ::Gitlab::CurrentSettings.update!(restricted_visibility_levels: [])
Feature.disable(:allow_anonymous_searches)
  4. if block_anonymous_global_searches is enabled 
    Feature.enable(:allow_anonymous_searches)
Feature.enable(:block_anonymous_global_searches)
    1. You can do group/project searches: http://127.0.0.1:3000/search?search=gitlab&group_id=24
    2. You get redirected for global searches: http://127.0.0.1:3000/search?search=gitlab

Related to #501305 (closed)

Edited by Madelein van Niekerk

Merge request reports