diff options
author | Stan Hu <stanhu@gmail.com> | 2016-04-24 21:45:26 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2016-04-25 12:02:06 -0700 |
commit | d5267dfd0dac8e4cab4919bf8aca611de3a5497b (patch) | |
tree | 522d7edfaaf022e2d41cba82a76187777c9e9a2c /lib/api/project_snippets.rb | |
parent | 81cb636e4fcb7ea76db84a92aac65a73f2376458 (diff) | |
download | gitlab-ce-d5267dfd0dac8e4cab4919bf8aca611de3a5497b.tar.gz |
Prevent private snippets in public/internal projects from being leaked via API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580
Diffstat (limited to 'lib/api/project_snippets.rb')
-rw-r--r-- | lib/api/project_snippets.rb | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/api/project_snippets.rb b/lib/api/project_snippets.rb index 22ce3c6a066..ce1bf0d26d2 100644 --- a/lib/api/project_snippets.rb +++ b/lib/api/project_snippets.rb @@ -11,6 +11,11 @@ module API end not_found! end + + def snippets_for_current_user + finder_params = { filter: :by_project, project: user_project } + SnippetsFinder.new.execute(current_user, finder_params) + end end # Get a project snippets @@ -20,7 +25,7 @@ module API # Example Request: # GET /projects/:id/snippets get ":id/snippets" do - present paginate(user_project.snippets), with: Entities::ProjectSnippet + present paginate(snippets_for_current_user), with: Entities::ProjectSnippet end # Get a project snippet @@ -31,7 +36,7 @@ module API # Example Request: # GET /projects/:id/snippets/:snippet_id get ":id/snippets/:snippet_id" do - @snippet = user_project.snippets.find(params[:snippet_id]) + @snippet = snippets_for_current_user.find(params[:snippet_id]) present @snippet, with: Entities::ProjectSnippet end @@ -73,7 +78,7 @@ module API # Example Request: # PUT /projects/:id/snippets/:snippet_id put ":id/snippets/:snippet_id" do - @snippet = user_project.snippets.find(params[:snippet_id]) + @snippet = snippets_for_current_user.find(params[:snippet_id]) authorize! :update_project_snippet, @snippet attrs = attributes_for_keys [:title, :file_name, :visibility_level] @@ -97,7 +102,7 @@ module API # DELETE /projects/:id/snippets/:snippet_id delete ":id/snippets/:snippet_id" do begin - @snippet = user_project.snippets.find(params[:snippet_id]) + @snippet = snippets_for_current_user.find(params[:snippet_id]) authorize! :update_project_snippet, @snippet @snippet.destroy rescue @@ -113,7 +118,7 @@ module API # Example Request: # GET /projects/:id/snippets/:snippet_id/raw get ":id/snippets/:snippet_id/raw" do - @snippet = user_project.snippets.find(params[:snippet_id]) + @snippet = snippets_for_current_user.find(params[:snippet_id]) env['api.format'] = :txt content_type 'text/plain' |