Merge branch 'security-bw-confidential-titles-through-markdown-api' into 'master'

[master] Confidential issue/private snippet titles can be read by unauthenticated user through GFM markdown API Closes #2706 See merge request gitlab/gitlabhq!2507
author: Bob Van Landuyt <bob@gitlab.com> 2018-10-05 17:47:52 +0000
committer: Bob Van Landuyt <bob@gitlab.com> 2018-10-05 17:47:52 +0000
commit: 36bd07838263f709b0ca9af4830ee75cde7e8f97 (patch)
tree: b64f4170048b6299b45e8b50900584ac58af5984 /lib/api/markdown.rb
parent: d26bf613b45066b3d2c78ef539cffc109cc39064 (diff)
parent: 829c9c65f9b730b3ecad7d3ba222e3dcd6489b85 (diff)
download: gitlab-ce-36bd07838263f709b0ca9af4830ee75cde7e8f97.tar.gz
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/api/markdown.rb b/lib/api/markdown.rb
index 50d8a1ac596..de77bef43ce 100644
--- a/lib/api/markdown.rb
+++ b/lib/api/markdown.rb
@@ -12,7 +12,8 @@ module API
         detail "This feature was introduced in GitLab 11.0."
       end
       post do
-        context = { only_path: false }
+        context = { only_path: false, current_user: current_user }
+        context[:pipeline] = params[:gfm] ? :full : :plain_markdown
 
         if params[:project]
           project = Project.find_by_full_path(params[:project])
@@ -24,9 +25,7 @@ module API
           context[:skip_project_check] = true
         end
 
-        context[:pipeline] = params[:gfm] ? :full : :plain_markdown
-
-        { html: Banzai.render(params[:text], context) }
+        { html: Banzai.render_and_post_process(params[:text], context) }
       end
     end
   end
author	Bob Van Landuyt <bob@gitlab.com>	2018-10-05 17:47:52 +0000
committer	Bob Van Landuyt <bob@gitlab.com>	2018-10-05 17:47:52 +0000
commit	36bd07838263f709b0ca9af4830ee75cde7e8f97 (patch)
tree	b64f4170048b6299b45e8b50900584ac58af5984 /lib/api/markdown.rb
parent	d26bf613b45066b3d2c78ef539cffc109cc39064 (diff)
parent	829c9c65f9b730b3ecad7d3ba222e3dcd6489b85 (diff)
download	gitlab-ce-36bd07838263f709b0ca9af4830ee75cde7e8f97.tar.gz