Skip to content

Allow administrators to force access control for gitlab pages (disable public pages)

What does this MR do?

#32095 (closed)

Allow pages access control to be forced on the instance level

Limitations

  1. We actually don't update any config.json files for pages daemon, so if you enforce access control on the admin level it will take effect only with next pages deployment or change of pages related settings. But that will be resolved by gitlab-pages#282 (closed), when we'll get rid of these files altogether.
  2. Settings in project_feature are allowed to be in an inconsistent state(be public) with the global restriction. But this way if admin has enforced access control and later reverted this change, old settings will take effect.

Allowed settings for pages visibility in the UI

Without enforced access control:

project visibility members-only internal(everyone with access) public(not logged in users
private
internal
public (effectively everyone/public)

With enforced access control:

project visibility members-only internal(everyone with access) public(not logged in users
private
internal
public (effectively everyone/public)

Screenshots

Screenshot_2019-12-23_at_19.17.06

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Vladimir Shushlin

Merge request reports

Loading