diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-03-10 14:50:42 +0100 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-03-10 17:13:02 +0100 |
commit | f5e42f602f8a4eb85a7087bc0f407f9510df0ea8 (patch) | |
tree | 89efac00135d7b8d46a28d87635278f73967121b /app/controllers/uploads_controller.rb | |
parent | e0caed91e2cd6b959f808139df7c40f3644f88fd (diff) | |
download | gitlab-ce-f5e42f602f8a4eb85a7087bc0f407f9510df0ea8.tar.gz |
Reject access to group/project avatar if the user doesn't have access.
Diffstat (limited to 'app/controllers/uploads_controller.rb')
-rw-r--r-- | app/controllers/uploads_controller.rb | 48 |
1 files changed, 32 insertions, 16 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 810ac9f34bd..c5f3da54ea2 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -1,24 +1,15 @@ class UploadsController < ApplicationController - skip_before_filter :authenticate_user!, :reject_blocked! - before_filter :authorize_access + skip_before_filter :authenticate_user! + before_filter :find_model, :authorize_access! def show - unless upload_model && upload_mount - return not_found! - end - - model = upload_model.find(params[:id]) - uploader = model.send(upload_mount) - - if model.respond_to?(:project) && !can?(current_user, :read_project, model.project) - return not_found! - end + uploader = @model.send(upload_mount) unless uploader.file_storage? return redirect_to uploader.url end - unless uploader.file.exists? + unless uploader.file && uploader.file.exists? return not_found! end @@ -28,9 +19,34 @@ class UploadsController < ApplicationController private - def authorize_access - unless params[:mounted_as] == 'avatar' - authenticate_user! && reject_blocked! + def find_model + unless upload_model && upload_mount + return not_found! + end + + @model = upload_model.find(params[:id]) + end + + def authorize_access! + authorized = + case @model + when Project + can?(current_user, :read_project, @model) + when Group + can?(current_user, :read_group, @model) + when Note + can?(current_user, :read_project, @model.project) + else + # No authentication required for user avatars. + true + end + + return if authorized + + if current_user + not_found! + else + authenticate_user! end end |