diff options
author | Grzegorz Bizon <grzegorz@gitlab.com> | 2019-09-02 12:05:33 +0000 |
---|---|---|
committer | Grzegorz Bizon <grzegorz@gitlab.com> | 2019-09-02 12:05:33 +0000 |
commit | 60fd42172fcf790b3cb612a3403227d4a97035a6 (patch) | |
tree | 6c04bf8eeba3b1cbc0139f602022657503d17201 /lib | |
parent | 305260df0606c2bacbc2aae54a1dc412ec14fe39 (diff) | |
parent | be0f039d9cb5f75a6853184f7d82dff7be00bb90 (diff) | |
download | gitlab-ce-60fd42172fcf790b3cb612a3403227d4a97035a6.tar.gz |
Merge branch '66803-fix-uploads-relative-link-filter' into 'master'
Fix permissions check in `RelativeLinkFilter`
See merge request gitlab-org/gitlab-ce!32448
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/relative_link_filter.rb | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 846a7d46aad..2b734db5cfb 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -19,7 +19,6 @@ module Banzai def call return doc if context[:system_note] - return doc unless visible_to_user? @uri_types = {} clear_memoization(:linkable_files) @@ -50,7 +49,7 @@ module Banzai if html_attr.value.start_with?('/uploads/') process_link_to_upload_attr(html_attr) - elsif linkable_files? + elsif linkable_files? && repo_visible_to_user? process_link_to_repository_attr(html_attr) end end @@ -168,14 +167,8 @@ module Banzai Gitlab.config.gitlab.relative_url_root.presence || '/' end - def visible_to_user? - if project - Ability.allowed?(current_user, :download_code, project) - elsif group - Ability.allowed?(current_user, :read_group, group) - else # Objects detached from projects or groups, e.g. Personal Snippets. - true - end + def repo_visible_to_user? + project && Ability.allowed?(current_user, :download_code, project) end def ref |