Enforce restricted visibilities for snippets

Add new service classes to create and update project and personal snippets. These classes are responsible for enforcing restricted visibility settings for non-admin users.
author: Vinnie Okada <vokada@mrvinn.com> 2015-03-07 12:47:06 -0700
committer: Vinnie Okada <vokada@mrvinn.com> 2015-03-08 17:57:08 -0600
commit: 928fc94c3d900069902b097d6464acee712a886c (patch)
tree: e30cbea42055c082e76881bd36ccd94f72afac8e /app/services
parent: 285c5341855f8af6cbea5e964e3104a4698fa450 (diff)
download: gitlab-ce-928fc94c3d900069902b097d6464acee712a886c.tar.gz
6 files changed, 40 insertions, 23 deletions
diff --git a/app/services/base_service.rb b/app/services/base_service.rb
index 8b07d7a4361..6d9ed345914 100644
--- a/app/services/base_service.rb
+++ b/app/services/base_service.rb
@@ -31,6 +31,21 @@ class BaseService
     SystemHooksService.new
   end
 
+  # Add an error to the specified model for restricted visibility levels
+  def deny_visibility_level(model, denied_visibility_level = nil)
+    denied_visibility_level ||= model.visibility_level
+
+    level_name = 'Unknown'
+    Gitlab::VisibilityLevel.options.each do |name, level|
+      level_name = name if level == denied_visibility_level
+    end
+
+    model.errors.add(
+      :visibility_level,
+      "#{level_name} visibility has been restricted by your GitLab administrator"
+    )
+  end
+
   private
 
   def error(message, http_status = nil)
diff --git a/app/services/create_snippet_service.rb b/app/services/create_snippet_service.rb
new file mode 100644
index 00000000000..101a3df5eee
--- /dev/null
+++ b/app/services/create_snippet_service.rb
@@ -0,0 +1,20 @@
+class CreateSnippetService < BaseService
+  def execute
+    if project.nil?
+      snippet = PersonalSnippet.new(params)
+    else
+      snippet = project.snippets.build(params)
+    end
+
+    unless Gitlab::VisibilityLevel.allowed_for?(current_user,
+                                                params[:visibility_level])
+      deny_visibility_level(snippet)
+      return snippet
+    end
+
+    snippet.author = current_user
+
+    snippet.save
+    snippet
+  end
+end
diff --git a/app/services/projects/base_service.rb b/app/services/projects/base_service.rb
deleted file mode 100644
index 2a683e0d40a..00000000000
--- a/app/services/projects/base_service.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-module Projects
-  class BaseService < ::BaseService
-    # Add an error to the project for restricted visibility levels
-    def deny_visibility_level(project, denied_visibility_level = nil)
-      denied_visibility_level ||= project.visibility_level
-
-      level_name = 'Unknown'
-      Gitlab::VisibilityLevel.options.each do |name, level|
-        level_name = name if level == denied_visibility_level
-      end
-
-      project.errors.add(
-        :visibility_level,
-        "#{level_name} visibility has been restricted by your GitLab administrator"
-      )
-    end
-  end
-end
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index 5f166a9a30b..7ffd0b3882a 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -1,5 +1,5 @@
 module Projects
-  class CreateService < Projects::BaseService
+  class CreateService < BaseService
     def initialize(user, params)
       @current_user, @params = user, params.dup
     end
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index 823afadc186..69bdd045ddf 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -1,5 +1,5 @@
 module Projects
-  class UpdateService < Projects::BaseService
+  class UpdateService < BaseService
     def execute
       # check that user is allowed to set specified visibility_level
       new_visibility = params[:visibility_level]
diff --git a/app/services/update_snippet_service.rb b/app/services/update_snippet_service.rb
index b7a719f2526..9d181c2d2ab 100644
--- a/app/services/update_snippet_service.rb
+++ b/app/services/update_snippet_service.rb
@@ -1,7 +1,7 @@
 class UpdateSnippetService < BaseService
   attr_accessor :snippet
 
-  def initialize(project = nil, user, snippet, params = {})
+  def initialize(project, user, snippet, params)
     super(project, user, params)
     @snippet = snippet
   end
@@ -9,10 +9,10 @@ class UpdateSnippetService < BaseService
   def execute
     # check that user is allowed to set specified visibility_level
     new_visibility = params[:visibility_level]
-    if new_visibility && new_visibility != snippet.visibility_level
+    if new_visibility && new_visibility.to_i != snippet.visibility_level
       unless can?(current_user, :change_visibility_level, snippet) &&
         Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
-        deny_visibility_level(snippet, new_visibility_level)
+        deny_visibility_level(snippet, new_visibility)
         return snippet
       end
     end
author	Vinnie Okada <vokada@mrvinn.com>	2015-03-07 12:47:06 -0700
committer	Vinnie Okada <vokada@mrvinn.com>	2015-03-08 17:57:08 -0600
commit	928fc94c3d900069902b097d6464acee712a886c (patch)
tree	e30cbea42055c082e76881bd36ccd94f72afac8e /app/services
parent	285c5341855f8af6cbea5e964e3104a4698fa450 (diff)
download	gitlab-ce-928fc94c3d900069902b097d6464acee712a886c.tar.gz