### Description Some organizations prefer to have all GitLab related data private, currently on the sign-in page we offer two links that can be accessed by non-authenticated users. + `/help` + `/explore` There's also `/public` and `/explore/groups`. ### Proposal * When the Public option is set as a restricted visibility setting in `/admin/application_settings`, require authentication for `/explore`, `/help`, and `/public` for non-authenticated users. * When selected: * Redirect unauthenticated users to the sign in page. * Remove the Explore link from the sign in page. * Redirect an unauthenticated user attempting to access `/help` to https://docs.gitlab.com/. ### Links / references + https://gitlab.com/gitlab-org/gitlab-ce/issues/12658 (discussed) + https://gitlab.zendesk.com/agent/tickets/76430 ### Workaround - taken from https://gitlab.com/gitlab-org/gitlab-ce/issues/12658#note_4346566 **Only applies to `explore`** ```diff diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 99a45e5..7a08f0c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base before_action :authenticate_user_from_private_token! before_action :authenticate_user! before_action :validate_user_service_ticket! + before_action :force_authenticated_user! before_action :check_password_expiration before_action :ldap_security_check before_action :sentry_context @@ -87,6 +88,12 @@ class ApplicationController < ActionController::Base logger.error "\n#{exception.class.name} (#{exception.message}):\n#{application_trace.join}" end + def force_authenticated_user!(*args) + if (!current_user) and (["/users/sign_in", "/users/password/new", "/users/password", "/users/password/edit"].exclude?(request.path)) + redirect_to new_user_session_path and return + end + end + def after_sign_in_path_for(resource) stored_location_for(:redirect) || stored_location_for(resource) || root_path end ```