diff options
author | Sean McGivern <sean@gitlab.com> | 2017-04-25 14:41:26 +0000 |
---|---|---|
committer | Bob Van Landuyt <bob@gitlab.com> | 2017-05-10 16:44:20 +0200 |
commit | d9ec830a8348fca93775c5f0b1f81a83e8c4f95a (patch) | |
tree | 2c3949ca2f22bc195bb54a96fee5ac0971c6f745 /app/controllers/snippets_controller.rb | |
parent | 9ae401cf91c9d545602b9aa86afcd306fc6e3467 (diff) | |
download | gitlab-ce-d9ec830a8348fca93775c5f0b1f81a83e8c4f95a.tar.gz |
Merge branch 'snippets_visibility' into 'security'
Fix snippets visibility for show action - external users can not see internal snippets
See merge request !2087
Diffstat (limited to 'app/controllers/snippets_controller.rb')
-rw-r--r-- | app/controllers/snippets_controller.rb | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index 19e07e3ab86..656a365b701 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -103,20 +103,20 @@ class SnippetsController < ApplicationController protected def snippet - @snippet ||= if current_user - PersonalSnippet.where("author_id = ? OR visibility_level IN (?)", - current_user.id, - [Snippet::PUBLIC, Snippet::INTERNAL]). - find(params[:id]) - else - PersonalSnippet.find(params[:id]) - end + @snippet ||= PersonalSnippet.find_by(id: params[:id]) end + alias_method :awardable, :snippet alias_method :spammable, :snippet def authorize_read_snippet! - authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet) + return if can?(current_user, :read_personal_snippet, @snippet) + + if current_user + render_404 + else + authenticate_user! + end end def authorize_update_snippet! |