remove access control for images

This commit removes the access control for uploaded images.
This is needed to display the images in emails again.

1 files changed, 25 insertions, 6 deletions

diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb
index 9020e86c44e..69d02affec2 100644
--- a/app/controllers/projects/uploads_controller.rb
+++ b/app/controllers/projects/uploads_controller.rb
@@ -1,7 +1,9 @@
 class Projects::UploadsController < Projects::ApplicationController
   layout 'project'
 
-  before_filter :project
+  skip_before_filter :project, :repository, :authenticate_user!, only: [:show]
+
+  before_filter :authorize_uploads, only: [:show]
 
   def create
     link_to_file = ::Projects::UploadService.new(project, params[:file]).
@@ -21,15 +23,32 @@ class Projects::UploadsController < Projects::ApplicationController
   end
 
   def show
-    uploader = FileUploader.new(project, params[:secret])
+    uploader = get_file
+    
+    return not_found! if uploader.nil? || !uploader.file.exists?
+
+    disposition = uploader.image? ? 'inline' : 'attachment'
+    send_file uploader.file.path, disposition: disposition
+  end
+
+  def get_file
+    namespace = params[:namespace_id]
+    id = params[:project_id]
 
-    return redirect_to uploader.url unless uploader.file_storage?
+    file_project = Project.find_with_namespace("#{namespace}/#{id}")
 
+    return nil if file_project.nil?
+
+    uploader = FileUploader.new(file_project, params[:secret])
     uploader.retrieve_from_store!(params[:filename])
 
-    return not_found! unless uploader.file.exists?
+    uploader
+  end
 
-    disposition = uploader.image? ? 'inline' : 'attachment'
-    send_file uploader.file.path, disposition: disposition
+  def authorize_uploads
+    uploader = get_file
+    unless uploader && uploader.image?
+      project
+    end
   end
 end