From d710525de9773c8cd63e4476c3c652929f902e76 Mon Sep 17 00:00:00 2001 From: Dmitry Gruzd Date: Wed, 6 Dec 2023 19:35:25 +0100 Subject: [PATCH 1/2] Add allow_anonymous_searches feature flag This MR adds a new ops feature flag to allow customers to disable public access to /search --- app/controllers/search_controller.rb | 13 ++++++++++++- .../ops/allow_anonymous_searches.yml | 8 ++++++++ locale/gitlab.pot | 3 +++ spec/controllers/search_controller_spec.rb | 19 +++++++++++++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 config/feature_flags/ops/allow_anonymous_searches.yml diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index b9e7007f98ff02..4bb20e5013c7dc 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -27,7 +27,10 @@ def self.search_rate_limited_endpoints around_action :allow_gitaly_ref_name_caching - before_action :block_anonymous_global_searches, :check_scope_global_search_enabled, except: :opensearch + before_action :block_anonymous_global_searches, + :block_all_anonymous_searches, + :check_scope_global_search_enabled, + except: :opensearch skip_before_action :authenticate_user! requires_cross_project_access if: -> do @@ -226,6 +229,14 @@ def block_anonymous_global_searches redirect_to new_user_session_path, alert: _('You must be logged in to search across all of GitLab') end + def block_all_anonymous_searches + return if current_user || ::Feature.enabled?(:allow_anonymous_searches, type: :ops) + + store_location_for(:user, request.fullpath) + + redirect_to new_user_session_path, alert: _('You must be logged in to search') + end + def check_scope_global_search_enabled return unless search_service.global_search? diff --git a/config/feature_flags/ops/allow_anonymous_searches.yml b/config/feature_flags/ops/allow_anonymous_searches.yml new file mode 100644 index 00000000000000..248beb7c39d531 --- /dev/null +++ b/config/feature_flags/ops/allow_anonymous_searches.yml @@ -0,0 +1,8 @@ +--- +name: allow_anonymous_searches +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138975 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/434218 +milestone: '16.7' +type: ops +group: group::global search +default_enabled: true diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 01bc457c6d4489..bde55cb5af1efa 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -55874,6 +55874,9 @@ msgstr "" msgid "You must be authenticated to access this path." msgstr "" +msgid "You must be logged in to search" +msgstr "" + msgid "You must be logged in to search across all of GitLab" msgstr "" diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb index 82b7c1ba927463..10fe15558c51dc 100644 --- a/spec/controllers/search_controller_spec.rb +++ b/spec/controllers/search_controller_spec.rb @@ -189,6 +189,25 @@ end end + context 'when allow_anonymous_searches is disabled' do + before do + stub_feature_flags(allow_anonymous_searches: false) + end + + context 'for unauthenticated user' do + before do + sign_out(user) + end + + it 'redirects to login page' do + get :show, params: { scope: 'projects', search: '*' } + + expect(response).to redirect_to new_user_session_path + expect(flash[:alert]).to match(/You must be logged in/) + end + end + end + context 'tab feature flags' do subject { get :show, params: { scope: scope, search: 'term' }, format: :html } -- GitLab From cf17c15b784a8d11e62cfd52c86e8e42e2460845 Mon Sep 17 00:00:00 2001 From: Dmitry Gruzd Date: Fri, 8 Dec 2023 17:21:41 +0100 Subject: [PATCH 2/2] Fix undercoverage --- app/controllers/search_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 4bb20e5013c7dc..64d9db41a1b0eb 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -27,8 +27,8 @@ def self.search_rate_limited_endpoints around_action :allow_gitaly_ref_name_caching - before_action :block_anonymous_global_searches, - :block_all_anonymous_searches, + before_action :block_all_anonymous_searches, + :block_anonymous_global_searches, :check_scope_global_search_enabled, except: :opensearch skip_before_action :authenticate_user! -- GitLab