diff options
author | Mark Chao <mchao@gitlab.com> | 2018-12-11 14:28:06 +0800 |
---|---|---|
committer | Mark Chao <mchao@gitlab.com> | 2018-12-20 14:39:47 +0800 |
commit | d0f0ff5ea1f73a8e9cb7fdc8830ba83a4cf0ece3 (patch) | |
tree | ed8e6120fad61e3fc4e9632ed8ffed56bd8ac770 /app | |
parent | d2120ff1e705799752e7d9704cae3f1896d8e186 (diff) | |
download | gitlab-ce-d0f0ff5ea1f73a8e9cb7fdc8830ba83a4cf0ece3.tar.gz |
Block private snippets from being embeddable
Move embeddable? to model to be used outside view
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/snippets_controller.rb | 9 | ||||
-rw-r--r-- | app/controllers/snippets_controller.rb | 8 | ||||
-rw-r--r-- | app/helpers/snippets_helper.rb | 8 | ||||
-rw-r--r-- | app/models/snippet.rb | 6 | ||||
-rw-r--r-- | app/views/shared/snippets/_header.html.haml | 2 |
5 files changed, 22 insertions, 11 deletions
diff --git a/app/controllers/projects/snippets_controller.rb b/app/controllers/projects/snippets_controller.rb index a44acb12bdf..255f1f3569a 100644 --- a/app/controllers/projects/snippets_controller.rb +++ b/app/controllers/projects/snippets_controller.rb @@ -75,7 +75,14 @@ class Projects::SnippetsController < Projects::ApplicationController format.json do render_blob_json(blob) end - format.js { render 'shared/snippets/show'} + + format.js do + if @snippet.embeddable? + render 'shared/snippets/show' + else + head :not_found + end + end end end diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index dd9bf17cf0c..8ea5450b4e8 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -80,7 +80,13 @@ class SnippetsController < ApplicationController render_blob_json(blob) end - format.js { render 'shared/snippets/show' } + format.js do + if @snippet.embeddable? + render 'shared/snippets/show' + else + head :not_found + end + end end end diff --git a/app/helpers/snippets_helper.rb b/app/helpers/snippets_helper.rb index c7d31f3469d..a20c47ed91a 100644 --- a/app/helpers/snippets_helper.rb +++ b/app/helpers/snippets_helper.rb @@ -130,12 +130,4 @@ module SnippetsHelper link_to external_snippet_icon('download'), download_url, class: 'btn', target: '_blank', title: 'Download', rel: 'noopener noreferrer' end - - def public_snippet? - if @snippet.project_id? - can?(nil, :read_project_snippet, @snippet) - else - can?(nil, :read_personal_snippet, @snippet) - end - end end diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 11856b55902..f9b23bbbf6c 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -175,6 +175,12 @@ class Snippet < ActiveRecord::Base :visibility_level end + def embeddable? + ability = project_id? ? :read_project_snippet : :read_personal_snippet + + Ability.allowed?(nil, ability, self) + end + def notes_with_associations notes.includes(:author) end diff --git a/app/views/shared/snippets/_header.html.haml b/app/views/shared/snippets/_header.html.haml index 10bfc30492a..a43296aa806 100644 --- a/app/views/shared/snippets/_header.html.haml +++ b/app/views/shared/snippets/_header.html.haml @@ -30,7 +30,7 @@ - if @snippet.updated_at != @snippet.created_at = edited_time_ago_with_tooltip(@snippet, placement: 'bottom', html_class: 'snippet-edited-ago', exclude_author: true) - - if public_snippet? + - if @snippet.embeddable? .embed-snippet .input-group .input-group-prepend |