diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-04-25 14:41:26 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2017-05-10 16:44:20 +0200 |
| commit | d9ec830a8348fca93775c5f0b1f81a83e8c4f95a (patch) | |
| tree | 2c3949ca2f22bc195bb54a96fee5ac0971c6f745 | |
| parent | 9ae401cf91c9d545602b9aa86afcd306fc6e3467 (diff) | |
| download | gitlab-ce-d9ec830a8348fca93775c5f0b1f81a83e8c4f95a.tar.gz | |
Merge branch 'snippets_visibility' into 'security'
Fix snippets visibility for show action - external users can not see internal snippets
See merge request !2087
| -rw-r--r-- | app/controllers/snippets_controller.rb | 18 | ||||
| -rw-r--r-- | changelogs/unreleased/snippets_visibility.yml | 4 | ||||
| -rw-r--r-- | spec/controllers/snippets_controller_spec.rb | 6 | ||||
| -rw-r--r-- | spec/features/snippets/internal_snippet_spec.rb | 23 |
4 files changed, 39 insertions, 12 deletions
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index 19e07e3ab86..656a365b701 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -103,20 +103,20 @@ class SnippetsController < ApplicationController protected def snippet - @snippet ||= if current_user - PersonalSnippet.where("author_id = ? OR visibility_level IN (?)", - current_user.id, - [Snippet::PUBLIC, Snippet::INTERNAL]). - find(params[:id]) - else - PersonalSnippet.find(params[:id]) - end + @snippet ||= PersonalSnippet.find_by(id: params[:id]) end + alias_method :awardable, :snippet alias_method :spammable, :snippet def authorize_read_snippet! - authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet) + return if can?(current_user, :read_personal_snippet, @snippet) + + if current_user + render_404 + else + authenticate_user! + end end def authorize_update_snippet! diff --git a/changelogs/unreleased/snippets_visibility.yml b/changelogs/unreleased/snippets_visibility.yml new file mode 100644 index 00000000000..4c10c6882ab --- /dev/null +++ b/changelogs/unreleased/snippets_visibility.yml @@ -0,0 +1,4 @@ +--- +title: Fix snippets visibility for show action - external users can not see internal snippets +merge_request: +author: diff --git a/spec/controllers/snippets_controller_spec.rb b/spec/controllers/snippets_controller_spec.rb index 41cd5bdcdd8..da46431b700 100644 --- a/spec/controllers/snippets_controller_spec.rb +++ b/spec/controllers/snippets_controller_spec.rb @@ -132,7 +132,7 @@ describe SnippetsController do it 'responds with status 404' do get :show, id: 'doesntexist' - expect(response).to have_http_status(404) + expect(response).to redirect_to(new_user_session_path) end end end @@ -478,10 +478,10 @@ describe SnippetsController do end context 'when not signed in' do - it 'responds with status 404' do + it 'redirects to the sign in path' do get :raw, id: 'doesntexist' - expect(response).to have_http_status(404) + expect(response).to redirect_to(new_user_session_path) end end end diff --git a/spec/features/snippets/internal_snippet_spec.rb b/spec/features/snippets/internal_snippet_spec.rb new file mode 100644 index 00000000000..93382f4c359 --- /dev/null +++ b/spec/features/snippets/internal_snippet_spec.rb @@ -0,0 +1,23 @@ +require 'rails_helper' + +feature 'Internal Snippets', feature: true, js: true do + let(:internal_snippet) { create(:personal_snippet, :internal) } + + describe 'normal user' do + before do + login_as :user + end + + scenario 'sees internal snippets' do + visit snippet_path(internal_snippet) + + expect(page).to have_content(internal_snippet.content) + end + + scenario 'sees raw internal snippets' do + visit raw_snippet_path(internal_snippet) + + expect(page).to have_content(internal_snippet.content) + end + end +end |