Block LFS requests on snippets
What does this MR do?
Addressed as part of #207869 (closed), extracted from !42863 (closed).
The repository routes for project repositories are ambiguous and also match project snippet repositories, so LFS requests for project snippets will work but snippets are not ready yet to properly support LFS.
We can work around this by checking #lfs_enabled?
on the container
instead of the project
, which for snippets will be the snippet itself,
and Snippet#lfs_enabled?
is currently hard-coded to return false
.
To simplify things, we also remove the project-specific access check and
use lfs_download_access?
instead to determine wether to expose the
existence of the project (404 response) or not (403 response), when
sending an error response. When LFS is disabled on the container we now
also send a 404 instead of a 403.
The ambiguous routing will be addressed with !45872 (merged).
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry - [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team