From f4bdefdff1861c0d0e2e6ae3418be969c2600b5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Fri, 25 Mar 2016 12:31:43 +0100
Subject: Ensure private project snippets are not viewable by unauthorized
 people

Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/14607.
---
 app/models/ability.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'app/models')

diff --git a/app/models/ability.rb b/app/models/ability.rb
index fa2345f6faa..5f326729433 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -27,6 +27,8 @@ class Ability
       case true
       when subject.is_a?(PersonalSnippet)
         anonymous_personal_snippet_abilities(subject)
+      when subject.is_a?(ProjectSnippet)
+        anonymous_project_snippet_abilities(subject)
       when subject.is_a?(CommitStatus)
         anonymous_commit_status_abilities(subject)
       when subject.is_a?(Project) || subject.respond_to?(:project)
@@ -100,6 +102,14 @@ class Ability
       end
     end
 
+    def anonymous_project_snippet_abilities(snippet)
+      if snippet.public?
+        [:read_project_snippet]
+      else
+        []
+      end
+    end
+
     def global_abilities(user)
       rules = []
       rules << :create_group if user.can_create_group
-- 
cgit v1.2.1


From 4f07c0a107b86ea23834a6797989963f1a63f5c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Fri, 25 Mar 2016 18:51:17 +0100
Subject: Ensure project snippets have their own access level

---
 app/models/ability.rb | 46 +++++++++++++++++++++++++++++++---------------
 1 file changed, 31 insertions(+), 15 deletions(-)

(limited to 'app/models')

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 5f326729433..c0bf6def7c5 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -348,24 +348,22 @@ class Ability
       end
     end
 
-    [:note, :project_snippet].each do |name|
-      define_method "#{name}_abilities" do |user, subject|
-        rules = []
-
-        if subject.author == user
-          rules += [
-            :"read_#{name}",
-            :"update_#{name}",
-            :"admin_#{name}"
-          ]
-        end
+    def note_abilities(user, note)
+      rules = []
 
-        if subject.respond_to?(:project) && subject.project
-          rules += project_abilities(user, subject.project)
-        end
+      if note.author == user
+        rules += [
+          :read_note,
+          :update_note,
+          :admin_note
+        ]
+      end
 
-        rules
+      if note.respond_to?(:project) && note.project
+        rules += project_abilities(user, note.project)
       end
+
+      rules
     end
 
     def personal_snippet_abilities(user, snippet)
@@ -386,6 +384,24 @@ class Ability
       rules
     end
 
+    def project_snippet_abilities(user, snippet)
+      rules = []
+
+      if snippet.author == user || user.admin?
+        rules += [
+          :read_project_snippet,
+          :update_project_snippet,
+          :admin_project_snippet
+        ]
+      end
+
+      if snippet.public? || (snippet.internal? && !user.external?) || (snippet.private? && snippet.project.team.member?(user))
+        rules << :read_project_snippet
+      end
+
+      rules
+    end
+
     def group_member_abilities(user, subject)
       rules = []
       target_user = subject.user
-- 
cgit v1.2.1