Skip to content

Resolve "Enforce authorization checks on media uploads"

What does this MR do and why?

Related to comment:

#26781 (comment 893476908)

We want to add the backend part for allowing users to choose whether or not to enforce checks on uploads.

  • This setting will be project level only
  • The setting will only appear when private or internal visibility has been selected
  • The setting will be checked by default on either of the above settings

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

  1. Create an issue in a private project
  2. Add an image
  3. Try to access the image while not logged in
  4. It should load
  5. Turn on feature flag enforce_auth_checks_on_uploads ::Feature.enable(:enforce_auth_checks_on_uploads, project)
  6. Update the project to enforce the checks project.update(enforce_auth_checks_on_uploads: true)
  7. Try to access the image again and it should redirect when not logged in

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Up

➜  gitlab git:(26781-enforce-authorization-checks-on-media-uploads) ✗ bundle exec rake db:migrate:up:main VERSION=20220324091224
== 20220324091224 AddEnforceAuthChecksOnUploadsToProjectSettings: migrating ===
-- add_column(:project_settings, :enforce_auth_checks_on_uploads, :boolean, {:null=>false, :default=>true})
   -> 0.0018s
== 20220324091224 AddEnforceAuthChecksOnUploadsToProjectSettings: migrated (0.0018s)

Revert

➜  gitlab git:(26781-enforce-authorization-checks-on-media-uploads) ✗ bundle exec rake db:migrate:down:main VERSION=20220324091224
== 20220324091224 AddEnforceAuthChecksOnUploadsToProjectSettings: reverting ===
-- remove_column(:project_settings, :enforce_auth_checks_on_uploads, :boolean, {:null=>false, :default=>true})
   -> 0.0062s
== 20220324091224 AddEnforceAuthChecksOnUploadsToProjectSettings: reverted (0.0125s)

Database lab

exec ALTER TABLE "project_settings" ADD "enforce_auth_checks_on_uploads" boolean DEFAULT TRUE NOT NULL
Session: 9945
The query has been executed. Duration: 7.323 ms (edited) 

Related to #26781 (closed)

Edited by Marc Shaw

Merge request reports

Loading