Merge branch '25934-project-snippet-vis' into 'security-9-2'

Fix visibility when referencing snippets See merge request !2101
author: DJ Mountney <david@twkie.net> 2017-06-08 09:56:39 -0700
committer: DJ Mountney <david@twkie.net> 2017-06-08 09:56:39 -0700
commit: ae6adf165ce7d9a85d7b8886eefdbe96aac2816b (patch)
tree: 60ad286a01988df93196cea2c644a858a98999c0 /app/policies
parent: e1d1a5240c98a427f2ef10f2a7cbee0c9a883834 (diff)
download: gitlab-ce-ae6adf165ce7d9a85d7b8886eefdbe96aac2816b.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb
index cf8ff92617f..bc5c4f32f79 100644
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -1,5 +1,10 @@
 class ProjectSnippetPolicy < BasePolicy
   def rules
+    # We have to check both project feature visibility and a snippet visibility and take the stricter one
+    # This will be simplified - check https://gitlab.com/gitlab-org/gitlab-ce/issues/27573
+    return unless @subject.project.feature_available?(:snippets, @user)
+    return unless Ability.allowed?(@user, :read_project, @subject.project)
+
     can! :read_project_snippet if @subject.public?
     return unless @user
author	DJ Mountney <david@twkie.net>	2017-06-08 09:56:39 -0700
committer	DJ Mountney <david@twkie.net>	2017-06-08 09:56:39 -0700
commit	ae6adf165ce7d9a85d7b8886eefdbe96aac2816b (patch)
tree	60ad286a01988df93196cea2c644a858a98999c0 /app/policies
parent	e1d1a5240c98a427f2ef10f2a7cbee0c9a883834 (diff)
download	gitlab-ce-ae6adf165ce7d9a85d7b8886eefdbe96aac2816b.tar.gz