diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-06 22:30:41 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-06 22:30:46 +0000 |
commit | e7d881a27db3902b5c355f960a070d7789e938fc (patch) | |
tree | fef9ebf5ce6a7aa2b3e159b71b7e89603b9598e9 | |
parent | a4a2a5fb31c918d043a5037437dcbd0a797e7ea5 (diff) | |
download | gitlab-ce-e7d881a27db3902b5c355f960a070d7789e938fc.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee
-rw-r--r-- | app/controllers/uploads_controller.rb | 2 | ||||
-rw-r--r-- | spec/controllers/uploads_controller_spec.rb | 32 |
2 files changed, 27 insertions, 7 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 09419a4589d..66f715f32af 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -52,6 +52,8 @@ class UploadsController < ApplicationController # access to itself when a secret is given. # For instance, user avatars are readable by anyone, # while temporary, user snippet uploads are not. + return false if !current_user && public_visibility_restricted? + !secret? || can?(current_user, :update_user, model) when Appearance true diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb index e128db8d1c1..3e9c56d3274 100644 --- a/spec/controllers/uploads_controller_spec.rb +++ b/spec/controllers/uploads_controller_spec.rb @@ -268,17 +268,35 @@ RSpec.describe UploadsController do end context "when not signed in" do - it "responds with status 200" do - get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + context "when restricted visibility level is not set to public" do + before do + stub_application_setting(restricted_visibility_levels: []) + end - expect(response).to have_gitlab_http_status(:ok) + it "responds with status 200" do + get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + + expect(response).to have_gitlab_http_status(:ok) + end + + it_behaves_like 'content publicly cached' do + subject do + get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' } + + response + end + end end - it_behaves_like 'content publicly cached' do - subject do - get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' } + context "when restricted visibility level is set to public" do + before do + stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) + end - response + it "responds with status 401" do + get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + + expect(response).to have_gitlab_http_status(:unauthorized) end end end |