1 files changed, 71 insertions, 0 deletions

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
new file mode 100644
index 00000000000..c5f3da54ea2
--- /dev/null
+++ b/app/controllers/uploads_controller.rb
@@ -0,0 +1,71 @@
+class UploadsController < ApplicationController
+  skip_before_filter :authenticate_user!
+  before_filter :find_model, :authorize_access!
+
+  def show
+    uploader = @model.send(upload_mount)
+
+    unless uploader.file_storage?
+      return redirect_to uploader.url
+    end
+
+    unless uploader.file && uploader.file.exists?
+      return not_found!
+    end
+
+    disposition = uploader.image? ? 'inline' : 'attachment'
+    send_file uploader.file.path, disposition: disposition
+  end
+
+  private
+
+  def find_model
+    unless upload_model && upload_mount
+      return not_found!
+    end
+
+    @model = upload_model.find(params[:id])
+  end
+
+  def authorize_access!
+    authorized = 
+      case @model
+      when Project
+        can?(current_user, :read_project, @model)
+      when Group
+        can?(current_user, :read_group, @model)
+      when Note
+        can?(current_user, :read_project, @model.project)
+      else
+        # No authentication required for user avatars.
+        true
+      end
+
+    return if authorized
+
+    if current_user
+      not_found!
+    else
+      authenticate_user!
+    end
+  end
+
+  def upload_model
+    upload_models = {
+      user: User,
+      project: Project,
+      note: Note,
+      group: Group
+    }
+
+    upload_models[params[:model].to_sym]
+  end
+
+  def upload_mount
+    upload_mounts = %w(avatar attachment file)
+
+    if upload_mounts.include?(params[:mounted_as])
+      params[:mounted_as]
+    end
+  end
+end