BigW Consortium Gitlab

Commit f0ed5fea by tiagonbotelho

adds fix for security issue when annonymous user does not have access to…

adds fix for security issue when annonymous user does not have access to repository we now display the activity feed instead of the readme
parent c9d93f64
...@@ -50,7 +50,7 @@ module PreferencesHelper ...@@ -50,7 +50,7 @@ module PreferencesHelper
end end
def default_project_view def default_project_view
return annonymous_project_view unless current_user return anonymous_project_view unless current_user
user_view = current_user.project_view user_view = current_user.project_view
...@@ -67,7 +67,7 @@ module PreferencesHelper ...@@ -67,7 +67,7 @@ module PreferencesHelper
end end
end end
def annonymous_project_view def anonymous_project_view
@project.empty_repo? ? 'empty' : 'readme' @project.empty_repo? || !can?(current_user, :download_code, @project) ? 'activity' : 'readme'
end end
end end
.row-content-block.second-block.center
%h3.page-title
The repository for this project is empty
- if can?(current_user, :push_code, @project)
%p
If you already have files you can push them using command line instructions below.
%p
Otherwise you can start with adding a
= succeed ',' do
= link_to "README", new_readme_path, class: 'underlined-link'
a
= succeed ',' do
= link_to "LICENSE", add_special_file_path(@project, file_name: 'LICENSE'), class: 'underlined-link'
or a
= link_to '.gitignore', add_special_file_path(@project, file_name: '.gitignore'), class: 'underlined-link'
to this project.
%p
You will need to be owner or have the master permission level for the initial push, as the master branch is automatically protected.
- if can?(current_user, :push_code, @project)
%div{ class: container_class }
.prepend-top-20
.empty_wrapper
%h3.page-title-empty
Command line instructions
%div.git-empty
%fieldset
%h5 Git global setup
%pre.light-well
:preserve
git config --global user.name "#{h git_user_name}"
git config --global user.email "#{h git_user_email}"
%fieldset
%h5 Create a new repository
%pre.light-well
:preserve
git clone #{ content_tag(:span, default_url_to_repo, class: 'clone')}
cd #{h @project.path}
touch README.md
git add README.md
git commit -m "add README"
git push -u origin master
%fieldset
%h5 Existing folder or Git repository
%pre.light-well
:preserve
cd existing_folder
git init
git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'clone')}
git add .
git commit
git push -u origin master
- if can? current_user, :remove_project, @project
.prepend-top-20
= link_to 'Remove project', [@project.namespace.becomes(Namespace), @project], data: { confirm: remove_project_message(@project)}, method: :delete, class: "btn btn-remove pull-right"
...@@ -6,4 +6,62 @@ ...@@ -6,4 +6,62 @@
= render 'shared/no_password' = render 'shared/no_password'
= render "home_panel" = render "home_panel"
= render "empty"
.row-content-block.second-block.center
%h3.page-title
The repository for this project is empty
- if can?(current_user, :push_code, @project)
%p
If you already have files you can push them using command line instructions below.
%p
Otherwise you can start with adding a
= succeed ',' do
= link_to "README", new_readme_path, class: 'underlined-link'
a
= succeed ',' do
= link_to "LICENSE", add_special_file_path(@project, file_name: 'LICENSE'), class: 'underlined-link'
or a
= link_to '.gitignore', add_special_file_path(@project, file_name: '.gitignore'), class: 'underlined-link'
to this project.
%p
You will need to be owner or have the master permission level for the initial push, as the master branch is automatically protected.
- if can?(current_user, :push_code, @project)
%div{ class: container_class }
.prepend-top-20
.empty_wrapper
%h3.page-title-empty
Command line instructions
%div.git-empty
%fieldset
%h5 Git global setup
%pre.light-well
:preserve
git config --global user.name "#{h git_user_name}"
git config --global user.email "#{h git_user_email}"
%fieldset
%h5 Create a new repository
%pre.light-well
:preserve
git clone #{ content_tag(:span, default_url_to_repo, class: 'clone')}
cd #{h @project.path}
touch README.md
git add README.md
git commit -m "add README"
git push -u origin master
%fieldset
%h5 Existing folder or Git repository
%pre.light-well
:preserve
cd existing_folder
git init
git remote add origin #{ content_tag(:span, default_url_to_repo, class: 'clone')}
git add .
git commit
git push -u origin master
- if can? current_user, :remove_project, @project
.prepend-top-20
= link_to 'Remove project', [@project.namespace.becomes(Namespace), @project], data: { confirm: remove_project_message(@project)}, method: :delete, class: "btn btn-remove pull-right"
--- ---
title: 500 error on project show when user is not logged in and project is still empty title: fixes 500 error on project show when user is not logged in and project is still empty
merge_request: 7376 merge_request: 7376
author: author:
...@@ -86,21 +86,43 @@ describe PreferencesHelper do ...@@ -86,21 +86,43 @@ describe PreferencesHelper do
end end
end end
describe 'default_project_view' do describe '#default_project_view' do
context 'user not signed in' do context 'user not signed in' do
before do before do
@project = create(:project) helper.instance_variable_set(:@project, project)
stub_user stub_user
end end
it 'returns readme view if repository is not empty' do context 'when repository is empty' do
expect(helper.default_project_view).to eq('readme') let(:project) { create(:project_empty_repo, :public) }
it 'returns activity if user has repository access' do
allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(true)
expect(helper.default_project_view).to eq('activity')
end
it 'returns activity if user does not have repository access' do
allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
expect(helper.default_project_view).to eq('activity')
end
end end
it 'returns activity if repository is empty' do context 'when repository is not empty' do
expect(@project).to receive(:empty_repo?).and_return(true) let(:project) { create(:project, :public) }
it 'returns readme if user has repository access' do
allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(true)
expect(helper.default_project_view).to eq('readme')
end
it 'returns activity if user does not have repository access' do
allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
expect(helper.default_project_view).to eq('empty') expect(helper.default_project_view).to eq('activity')
end
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment