Merge branch 'dbalexandre/gitlab-ce-fix-personal-snippet-access-workflow' into 'master'

Improve personal snippet access workflow. Replaces !1709 Fixes #3258 See merge request !1817
author: Robert Speicher <robert@gitlab.com> 2015-11-19 17:22:20 +0000
committer: Robert Speicher <robert@gitlab.com> 2015-11-19 17:22:20 +0000
commit: 56476f18475deb896c09b47e967dc5146f66778b (patch)
tree: 24b7ba2336f37923671aa5d9e958f6fd7ae23f61 /app
parent: 3a85c93a7a077312aa13c0078c6b32719eb930ae (diff)
parent: 08dc38223e0c18233052e04ac95a4f6942fcb1b5 (diff)
download: gitlab-ce-56476f18475deb896c09b47e967dc5146f66778b.tar.gz
2 files changed, 68 insertions, 23 deletions
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 9f9f9a92f11..08f2483af33 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -1,6 +1,9 @@
 class SnippetsController < ApplicationController
   before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]
 
+  # Allow read snippet
+  before_action :authorize_read_snippet!, only: [:show]
+
   # Allow modify snippet
   before_action :authorize_update_snippet!, only: [:edit, :update]
 
@@ -79,10 +82,14 @@ class SnippetsController < ApplicationController
                      [Snippet::PUBLIC, Snippet::INTERNAL]).
                      find(params[:id])
                  else
-                   PersonalSnippet.are_public.find(params[:id])
+                   PersonalSnippet.find(params[:id])
                  end
   end
 
+  def authorize_read_snippet!
+    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+  end
+
   def authorize_update_snippet!
     return render_404 unless can?(current_user, :update_personal_snippet, @snippet)
   end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 500af08d209..07f3a56ec7a 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -1,8 +1,8 @@
 class Ability
   class << self
     def allowed(user, subject)
-      return not_auth_abilities(user, subject) if user.nil?
-      return [] unless user.kind_of?(User)
+      return anonymous_abilities(user, subject) if user.nil?
+      return [] unless user.is_a?(User)
       return [] if user.blocked?
 
       case subject.class.name
@@ -20,15 +20,25 @@ class Ability
       end.concat(global_abilities(user))
     end
 
-    # List of possible abilities
-    # for non-authenticated user
-    def not_auth_abilities(user, subject)
-      project = if subject.kind_of?(Project)
+    # List of possible abilities for anonymous user
+    def anonymous_abilities(user, subject)
+      case true
+      when subject.is_a?(PersonalSnippet)
+        anonymous_personal_snippet_abilities(subject)
+      when subject.is_a?(Project) || subject.respond_to?(:project)
+        anonymous_project_abilities(subject)
+      when subject.is_a?(Group) || subject.respond_to?(:group)
+        anonymous_group_abilities(subject)
+      else
+        []
+      end
+    end
+
+    def anonymous_project_abilities(subject)
+      project = if subject.is_a?(Project)
                   subject
-                elsif subject.respond_to?(:project)
-                  subject.project
                 else
-                  nil
+                  subject.project
                 end
 
       if project && project.public?
@@ -48,19 +58,29 @@ class Ability
 
         rules - project_disabled_features_rules(project)
       else
-        group = if subject.kind_of?(Group)
-                  subject
-                elsif subject.respond_to?(:group)
-                  subject.group
-                else
-                  nil
-                end
+        []
+      end
+    end
 
-        if group && group.public_profile?
-          [:read_group]
-        else
-          []
-        end
+    def anonymous_group_abilities(subject)
+      group = if subject.is_a?(Group)
+                subject
+              else
+                subject.group
+              end
+
+      if group && group.public_profile?
+        [:read_group]
+      else
+        []
+      end
+    end
+
+    def anonymous_personal_snippet_abilities(snippet)
+      if snippet.public?
+        [:read_personal_snippet]
+      else
+        []
       end
     end
 
@@ -280,7 +300,7 @@ class Ability
       end
     end
 
-    [:note, :project_snippet, :personal_snippet].each do |name|
+    [:note, :project_snippet].each do |name|
       define_method "#{name}_abilities" do |user, subject|
         rules = []
 
@@ -300,6 +320,24 @@ class Ability
       end
     end
 
+    def personal_snippet_abilities(user, snippet)
+      rules = []
+
+      if snippet.author == user
+        rules += [
+          :read_personal_snippet,
+          :update_personal_snippet,
+          :admin_personal_snippet
+        ]
+      end
+
+      if snippet.public? || snippet.internal?
+        rules << :read_personal_snippet 
+      end
+
+      rules
+    end
+
     def group_member_abilities(user, subject)
       rules = []
       target_user = subject.user
author	Robert Speicher <robert@gitlab.com>	2015-11-19 17:22:20 +0000
committer	Robert Speicher <robert@gitlab.com>	2015-11-19 17:22:20 +0000
commit	56476f18475deb896c09b47e967dc5146f66778b (patch)
tree	24b7ba2336f37923671aa5d9e958f6fd7ae23f61 /app
parent	3a85c93a7a077312aa13c0078c6b32719eb930ae (diff)
parent	08dc38223e0c18233052e04ac95a4f6942fcb1b5 (diff)
download	gitlab-ce-56476f18475deb896c09b47e967dc5146f66778b.tar.gz