From ffe9513ecf7755d640b7d04e13193b901bad826b Mon Sep 17 00:00:00 2001
From: Dmitry Gruzd <dgruzd@gitlab.com>
Date: Fri, 8 Dec 2023 21:41:13 +0000
Subject: [PATCH] Add allow_anonymous_searches feature flag
This MR adds a new ops feature flag to allow customers
to disable public access to /search
---
app/controllers/search_controller.rb | 13 ++++++++++++-
.../ops/allow_anonymous_searches.yml | 8 ++++++++
locale/gitlab.pot | 3 +++
spec/controllers/search_controller_spec.rb | 19 +++++++++++++++++++
4 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 config/feature_flags/ops/allow_anonymous_searches.yml
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index b9e7007f98ff..64d9db41a1b0 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -27,7 +27,10 @@ def self.search_rate_limited_endpoints
around_action :allow_gitaly_ref_name_caching
- before_action :block_anonymous_global_searches, :check_scope_global_search_enabled, except: :opensearch
+ before_action :block_all_anonymous_searches,
+ :block_anonymous_global_searches,
+ :check_scope_global_search_enabled,
+ except: :opensearch
skip_before_action :authenticate_user!
requires_cross_project_access if: -> do
@@ -226,6 +229,14 @@ def block_anonymous_global_searches
redirect_to new_user_session_path, alert: _('You must be logged in to search across all of GitLab')
end
+ def block_all_anonymous_searches
+ return if current_user || ::Feature.enabled?(:allow_anonymous_searches, type: :ops)
+
+ store_location_for(:user, request.fullpath)
+
+ redirect_to new_user_session_path, alert: _('You must be logged in to search')
+ end
+
def check_scope_global_search_enabled
return unless search_service.global_search?
diff --git a/config/feature_flags/ops/allow_anonymous_searches.yml b/config/feature_flags/ops/allow_anonymous_searches.yml
new file mode 100644
index 000000000000..248beb7c39d5
--- /dev/null
+++ b/config/feature_flags/ops/allow_anonymous_searches.yml
@@ -0,0 +1,8 @@
+---
+name: allow_anonymous_searches
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138975
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/434218
+milestone: '16.7'
+type: ops
+group: group::global search
+default_enabled: true
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 496c93e1a9a7..9e0256c31cb9 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -55988,6 +55988,9 @@ msgstr ""
msgid "You must be authenticated to access this path."
msgstr ""
+msgid "You must be logged in to search"
+msgstr ""
+
msgid "You must be logged in to search across all of GitLab"
msgstr ""
diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb
index 82b7c1ba9274..10fe15558c51 100644
--- a/spec/controllers/search_controller_spec.rb
+++ b/spec/controllers/search_controller_spec.rb
@@ -189,6 +189,25 @@
end
end
+ context 'when allow_anonymous_searches is disabled' do
+ before do
+ stub_feature_flags(allow_anonymous_searches: false)
+ end
+
+ context 'for unauthenticated user' do
+ before do
+ sign_out(user)
+ end
+
+ it 'redirects to login page' do
+ get :show, params: { scope: 'projects', search: '*' }
+
+ expect(response).to redirect_to new_user_session_path
+ expect(flash[:alert]).to match(/You must be logged in/)
+ end
+ end
+ end
+
context 'tab feature flags' do
subject { get :show, params: { scope: scope, search: 'term' }, format: :html }
--
GitLab