Add user docs for Pages access control

a019c9c7 · Achilleas Pipinellis · Evan Read · 547952b4 · a019c9c7 · a019c9c7
5 changed file
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -244,8 +244,9 @@ This setting is enabled by default.

 ### Access control

-Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
-in GitLab 11.5. It can be configured per-project, and allows access to a Pages
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+GitLab Pages access control can be configured per-project, and allows access to a Pages
 site to be controlled based on a user's membership to that project.

 Access control works by registering the Pages daemon as an OAuth application
@@ -259,15 +260,16 @@ Each request to view a resource in a private site is authenticated by Pages
 using that token. For each request it receives, it makes a request to the GitLab
 API to check that the user is authorized to read that site.

-Pages access control is currently disabled by default. To enable it, you must:
+Pages access control is disabled by default. To enable it:

-1. Enable it in `/etc/gitlab/gitlab.rb`
+1. Enable it in `/etc/gitlab/gitlab.rb`:

    ```ruby
    gitlab_pages['access_control'] = true
    ```

-1. [Reconfigure GitLab][reconfigure]
+1. [Reconfigure GitLab][reconfigure].
+1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).

 ## Activate verbose logging for daemon


--- a/doc/administration/pages/source.md
+++ b/doc/administration/pages/source.md
@@ -393,8 +393,9 @@ server_name ~^.*\.pages\.example\.io$;

 ## Access control

-Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
-in GitLab 11.5. It can be configured per-project, and allows access to a Pages
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+GitLab Pages access control can be configured per-project, and allows access to a Pages
 site to be controlled based on a user's membership to that project.

 Access control works by registering the Pages daemon as an OAuth application
@@ -408,15 +409,17 @@ Each request to view a resource in a private site is authenticated by Pages
 using that token. For each request it receives, it makes a request to the GitLab
 API to check that the user is authorized to read that site.

-Pages access control is currently disabled by default. To enable it, you must:
+Pages access control is disabled by default. To enable it:

 1. Modify your `config/gitlab.yml` file:
+
    ```yaml
    pages:
      access_control: true
    ```
-1. [Restart GitLab][restart]
-1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile)
+
+1. [Restart GitLab][restart].
+1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile).
   This should be called `GitLab Pages` and have a `Redirect URL` of
   `https://projects.example.io/auth`. It does not need to be a "trusted"
   application, but it does need the "api" scope.
@@ -429,6 +432,8 @@ Pages access control is currently disabled by default. To enable it, you must:
      -auth-server <URL of the GitLab instance>
    ```

+1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
+
 ## Change storage path

 Follow the steps below to change the default path where GitLab Pages' contents

--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -95,7 +95,7 @@ The following table depicts the various user permission levels in a project.
 | Manage GitLab Pages                   |         |            |             | ✓        | ✓      |
 | Manage GitLab Pages domains and certificates |         |            |             | ✓        | ✓      |
 | Remove GitLab Pages                   |         |            |             |          | ✓      |
-| View GitLab Pages protected by [access control](../administration/pages/index.md#access-control) | ✓       | ✓          | ✓           | ✓        | ✓      |
+| View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core-only) | ✓       | ✓          | ✓           | ✓        | ✓      |
 | Manage clusters                       |         |            |             | ✓        | ✓      |
 | Manage license policy **[ULTIMATE]**  |         |            |             | ✓        | ✓      |
 | Edit comments (posted by any user)    |         |            |             | ✓        | ✓      |

--- a/doc/user/project/pages/introduction.md
+++ b/doc/user/project/pages/introduction.md
@@ -441,6 +441,46 @@ The rest of the guide still applies.

 See also: [GitLab Pages from A to Z: Part 1 - Static sites and GitLab Pages domains](getting_started_part_one.md#gitlab-pages-domain).

+## GitLab Pages access control **[CORE ONLY]**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
+
+NOTE: **Note:**
+GitLab Pages access control is not activated on GitLab.com.
+
+You can enable Pages access control on your project, so that only
+[members of your project](../../permissions.md#project-members-permissions)
+(at least Guest) can access your website:
+
+1. Navigate to your project's **Settings > General > Permissions**.
+1. Toggle the **Pages** button to enable the access control.
+
+    NOTE: **Note:**
+    If you don't see the toggle button, that means that it's not enabled.
+    Ask your administrator to [enable it](../../../administration/pages/index.md#access-control).
+
+1. The Pages access control dropdown allows you to set who can view pages hosted
+   with GitLab Pages, depending on your project's visibility:
+
+    - If your project is private:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+    - If your project is internal:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone with access**: Everyone logged into GitLab will be able to browse the website, no matter their project membership.
+      - **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+    - If your project is public:
+      - **Only project members**: Only project members will be able to browse the website.
+      - **Everyone with access**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
+
+1. Click **Save changes**.
+
+---
+
+The next time someone tries to access your website and the access control is
+enabled, they will be presented with a page to sign into GitLab and verify they
+can access the website.
+
 ## Limitations

 When using Pages under the general domain of a GitLab instance (`*.example.io`),

--- a/doc/user/project/settings/img/sharing_and_permissions_settings.png
+++ b/doc/user/project/settings/img/sharing_and_permissions_settings.png