summaryrefslogtreecommitdiff
path: root/lib/api/project_snippets.rb
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2016-04-24 21:45:26 -0700
committerStan Hu <stanhu@gmail.com>2016-04-25 12:02:06 -0700
commitd5267dfd0dac8e4cab4919bf8aca611de3a5497b (patch)
tree522d7edfaaf022e2d41cba82a76187777c9e9a2c /lib/api/project_snippets.rb
parent81cb636e4fcb7ea76db84a92aac65a73f2376458 (diff)
downloadgitlab-ce-d5267dfd0dac8e4cab4919bf8aca611de3a5497b.tar.gz
Prevent private snippets in public/internal projects from being leaked via API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580
Diffstat (limited to 'lib/api/project_snippets.rb')
-rw-r--r--lib/api/project_snippets.rb15
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/api/project_snippets.rb b/lib/api/project_snippets.rb
index 22ce3c6a066..ce1bf0d26d2 100644
--- a/lib/api/project_snippets.rb
+++ b/lib/api/project_snippets.rb
@@ -11,6 +11,11 @@ module API
end
not_found!
end
+
+ def snippets_for_current_user
+ finder_params = { filter: :by_project, project: user_project }
+ SnippetsFinder.new.execute(current_user, finder_params)
+ end
end
# Get a project snippets
@@ -20,7 +25,7 @@ module API
# Example Request:
# GET /projects/:id/snippets
get ":id/snippets" do
- present paginate(user_project.snippets), with: Entities::ProjectSnippet
+ present paginate(snippets_for_current_user), with: Entities::ProjectSnippet
end
# Get a project snippet
@@ -31,7 +36,7 @@ module API
# Example Request:
# GET /projects/:id/snippets/:snippet_id
get ":id/snippets/:snippet_id" do
- @snippet = user_project.snippets.find(params[:snippet_id])
+ @snippet = snippets_for_current_user.find(params[:snippet_id])
present @snippet, with: Entities::ProjectSnippet
end
@@ -73,7 +78,7 @@ module API
# Example Request:
# PUT /projects/:id/snippets/:snippet_id
put ":id/snippets/:snippet_id" do
- @snippet = user_project.snippets.find(params[:snippet_id])
+ @snippet = snippets_for_current_user.find(params[:snippet_id])
authorize! :update_project_snippet, @snippet
attrs = attributes_for_keys [:title, :file_name, :visibility_level]
@@ -97,7 +102,7 @@ module API
# DELETE /projects/:id/snippets/:snippet_id
delete ":id/snippets/:snippet_id" do
begin
- @snippet = user_project.snippets.find(params[:snippet_id])
+ @snippet = snippets_for_current_user.find(params[:snippet_id])
authorize! :update_project_snippet, @snippet
@snippet.destroy
rescue
@@ -113,7 +118,7 @@ module API
# Example Request:
# GET /projects/:id/snippets/:snippet_id/raw
get ":id/snippets/:snippet_id/raw" do
- @snippet = user_project.snippets.find(params[:snippet_id])
+ @snippet = snippets_for_current_user.find(params[:snippet_id])
env['api.format'] = :txt
content_type 'text/plain'