Remove existence check from ProjectUrlConstrainer
What does this MR do?
This was causing non-existent projects to fall back to our wildcard not found route which then behaves differently for repository ref paths.
For repository ref paths like blobs, we ignore the format in the URL because these are rendered as HTML. But when it falls back to the not found route, the format is parsed causing Devise to use the wrong status code for unauthenticated requests.
With this change, valid URLs whether the project exists or not will be handled by the same controller so that behavior will be the same.
Only paths that have invalid project paths would fall back to the wildcard catch-all route.
First commit is a revert of the security fix. This is not needed because this should also fix the security issue.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
#35289
Merge request reports
Activity
added maintenancerefactor typebug labels
changed milestone to %12.5
Reviewer roulette
Changes that require review have been detected! A merge request is normally reviewed by both a reviewer and a maintainer in its primary category (e.g. frontend or backend), and by a maintainer in all other categories.
To spread load more evenly across eligible reviewers, Danger has randomly picked a candidate for each review slot. Feel free to override this selection if you think someone else would be better-suited, or the chosen person is unavailable.
Once you've decided who will review this merge request, mention them as you normally would! Danger does not (yet?) automatically notify them for you.
Category Reviewer Maintainer backend Alessio Caiazza ( @nolith)Grzegorz Bizon ( @grzesiek)test Quality for spec/features/*Walmyr Lima e Silva Filho ( @wlsf82)No maintainer available Generated by
🚫 DangerEdited by 🤖 GitLab Bot 🤖added devopsplan groupproject management labels
added 14 commits
-
0ea3e137...71b371b9 - 10 commits from branch
master - 0d46a308 - Revert "Avoid #authenticate_user! in #route_not_found"
- 96e741a6 - Remove existence check from ProjectUrlConstrainer
- 95aa7b94 - Make sure Projects#show is matched last
- ebf5380f - Add spec for security issue
Toggle commit list-
0ea3e137...71b371b9 - 10 commits from branch
added 2 commits
