diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-03-29 08:21:48 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-03-29 08:21:48 +0000 |
| commit | a7ca8689f7e3a71c69c29203821b8e8b44254216 (patch) | |
| tree | 0bb199efb55436638f9b47a4252c35b163c8f0bb /app | |
| parent | d73e1288595ef673b2d9c3024d7fe3909dac7184 (diff) | |
| parent | 4f07c0a107b86ea23834a6797989963f1a63f5c1 (diff) | |
| download | gitlab-ce-a7ca8689f7e3a71c69c29203821b8e8b44254216.tar.gz | |
Merge branch 'fix-14607' into 'master'
Ensure private project snippets are not viewable by unauthorized people
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14607
See merge request !1946
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/snippets_controller.rb | 6 | ||||
| -rw-r--r-- | app/models/ability.rb | 56 |
2 files changed, 46 insertions, 16 deletions
diff --git a/app/controllers/projects/snippets_controller.rb b/app/controllers/projects/snippets_controller.rb index b578b419a46..6d2901a24a4 100644 --- a/app/controllers/projects/snippets_controller.rb +++ b/app/controllers/projects/snippets_controller.rb @@ -3,7 +3,7 @@ class Projects::SnippetsController < Projects::ApplicationController before_action :snippet, only: [:show, :edit, :destroy, :update, :raw] # Allow read any snippet - before_action :authorize_read_project_snippet! + before_action :authorize_read_project_snippet!, except: [:new, :create, :index] # Allow write(create) snippet before_action :authorize_create_project_snippet!, only: [:new, :create] @@ -81,6 +81,10 @@ class Projects::SnippetsController < Projects::ApplicationController @snippet ||= @project.snippets.find(params[:id]) end + def authorize_read_project_snippet! + return render_404 unless can?(current_user, :read_project_snippet, @snippet) + end + def authorize_update_project_snippet! return render_404 unless can?(current_user, :update_project_snippet, @snippet) end diff --git a/app/models/ability.rb b/app/models/ability.rb index fa2345f6faa..c0bf6def7c5 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -27,6 +27,8 @@ class Ability case true when subject.is_a?(PersonalSnippet) anonymous_personal_snippet_abilities(subject) + when subject.is_a?(ProjectSnippet) + anonymous_project_snippet_abilities(subject) when subject.is_a?(CommitStatus) anonymous_commit_status_abilities(subject) when subject.is_a?(Project) || subject.respond_to?(:project) @@ -100,6 +102,14 @@ class Ability end end + def anonymous_project_snippet_abilities(snippet) + if snippet.public? + [:read_project_snippet] + else + [] + end + end + def global_abilities(user) rules = [] rules << :create_group if user.can_create_group @@ -338,24 +348,22 @@ class Ability end end - [:note, :project_snippet].each do |name| - define_method "#{name}_abilities" do |user, subject| - rules = [] - - if subject.author == user - rules += [ - :"read_#{name}", - :"update_#{name}", - :"admin_#{name}" - ] - end + def note_abilities(user, note) + rules = [] - if subject.respond_to?(:project) && subject.project - rules += project_abilities(user, subject.project) - end + if note.author == user + rules += [ + :read_note, + :update_note, + :admin_note + ] + end - rules + if note.respond_to?(:project) && note.project + rules += project_abilities(user, note.project) end + + rules end def personal_snippet_abilities(user, snippet) @@ -376,6 +384,24 @@ class Ability rules end + def project_snippet_abilities(user, snippet) + rules = [] + + if snippet.author == user || user.admin? + rules += [ + :read_project_snippet, + :update_project_snippet, + :admin_project_snippet + ] + end + + if snippet.public? || (snippet.internal? && !user.external?) || (snippet.private? && snippet.project.team.member?(user)) + rules << :read_project_snippet + end + + rules + end + def group_member_abilities(user, subject) rules = [] target_user = subject.user |