Skip to content

Fix global anonymous searches restriction

Dmitry Gruzd requested to merge 346510-fix-anonymous-searches-restriction into master

What does this MR do and why?

This MR fixes block_anonymous_global_searches and check_scope_global_search_enabled methods which enforce global search restrictions. Currently it's possible to circumvent them by adding project_id=x to the query. This MR ensures that we actually check that we have group or project set in the search_service.

This MR doesn't have a changelog entry since related feature flags are disabled by default

https://gitlab.com/gitlab-org/gitlab/-/issues/346510

Screenshots or screen recordings

Before

Screenshot_2021-12-03_at_13.43.09

After

Screenshot_2021-12-03_at_13.43.42

How to set up and validate locally

  1. Configure Advanced Search if it's not enabled already https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/elasticsearch.md
  2. Checkout the master branch
  3. In rails console enable the feature flag 
    Feature.enable(:block_anonymous_global_searches)
  4. Using an incognito/private browser window open http://localhost:3000/search?project_id=x&scope=blobs&search=test
  5. Ensure that you see the results page
  6. Checkout to this MR's branch
  7. Refresh the page
  8. You should see the login page with a warning You must be logged in to search across all of GitLab

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Closes #346510

Edited by Dmitry Gruzd

Merge request reports