Use controllers to serve uploads, with XSS prevention and access control.

author: Douwe Maan <douwe@gitlab.com> 2015-02-20 13:13:48 +0100
committer: Douwe Maan <douwe@gitlab.com> 2015-02-20 13:13:48 +0100
commit: 00ca490259de684f4240de4f61728b8eaefbb13e (patch)
tree: 1b27729d864898dc8c87473359ad642b7432ce3b /config/routes.rb
parent: 4310431ee73fdd6aa3874aaccc0a901252e7f61f (diff)
download: gitlab-ce-00ca490259de684f4240de4f61728b8eaefbb13e.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/config/routes.rb b/config/routes.rb
index 65786d83566..0e7f7d893d4 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -69,7 +69,19 @@ Gitlab::Application.routes.draw do
     end
   end
 
+  #
+  # Uploads
+  #
 
+  scope path: :uploads do
+    # Note attachments and User/Group/Project avatars
+    get ":model/:mounted_as/:id/:filename", to: "uploads#show", 
+      constraints: { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ }
+
+    # Project markdown uploads
+    get ":id/:secret/:filename", to: "projects/uploads#show", 
+      constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ }
+  end
 
   #
   # Explore area
author	Douwe Maan <douwe@gitlab.com>	2015-02-20 13:13:48 +0100
committer	Douwe Maan <douwe@gitlab.com>	2015-02-20 13:13:48 +0100
commit	00ca490259de684f4240de4f61728b8eaefbb13e (patch)
tree	1b27729d864898dc8c87473359ad642b7432ce3b /config/routes.rb
parent	4310431ee73fdd6aa3874aaccc0a901252e7f61f (diff)
download	gitlab-ce-00ca490259de684f4240de4f61728b8eaefbb13e.tar.gz