From d9ec830a8348fca93775c5f0b1f81a83e8c4f95a Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Tue, 25 Apr 2017 14:41:26 +0000 Subject: Merge branch 'snippets_visibility' into 'security' Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087 --- app/controllers/snippets_controller.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'app/controllers/snippets_controller.rb') diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index 19e07e3ab86..656a365b701 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -103,20 +103,20 @@ class SnippetsController < ApplicationController protected def snippet - @snippet ||= if current_user - PersonalSnippet.where("author_id = ? OR visibility_level IN (?)", - current_user.id, - [Snippet::PUBLIC, Snippet::INTERNAL]). - find(params[:id]) - else - PersonalSnippet.find(params[:id]) - end + @snippet ||= PersonalSnippet.find_by(id: params[:id]) end + alias_method :awardable, :snippet alias_method :spammable, :snippet def authorize_read_snippet! - authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet) + return if can?(current_user, :read_personal_snippet, @snippet) + + if current_user + render_404 + else + authenticate_user! + end end def authorize_update_snippet! -- cgit v1.2.1