From be0f039d9cb5f75a6853184f7d82dff7be00bb90 Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <heinrich@gitlab.com>
Date: Fri, 30 Aug 2019 17:44:30 +0800
Subject: Fix upload URLs in Markdown

Fixes RelativeLinkFilter for users that don't have access
to the project's repository
---
 lib/banzai/filter/relative_link_filter.rb | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

(limited to 'lib')

diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb
index 846a7d46aad..2b734db5cfb 100644
--- a/lib/banzai/filter/relative_link_filter.rb
+++ b/lib/banzai/filter/relative_link_filter.rb
@@ -19,7 +19,6 @@ module Banzai
 
       def call
         return doc if context[:system_note]
-        return doc unless visible_to_user?
 
         @uri_types = {}
         clear_memoization(:linkable_files)
@@ -50,7 +49,7 @@ module Banzai
 
         if html_attr.value.start_with?('/uploads/')
           process_link_to_upload_attr(html_attr)
-        elsif linkable_files?
+        elsif linkable_files? && repo_visible_to_user?
           process_link_to_repository_attr(html_attr)
         end
       end
@@ -168,14 +167,8 @@ module Banzai
         Gitlab.config.gitlab.relative_url_root.presence || '/'
       end
 
-      def visible_to_user?
-        if project
-          Ability.allowed?(current_user, :download_code, project)
-        elsif group
-          Ability.allowed?(current_user, :read_group, group)
-        else # Objects detached from projects or groups, e.g. Personal Snippets.
-          true
-        end
+      def repo_visible_to_user?
+        project && Ability.allowed?(current_user, :download_code, project)
       end
 
       def ref
-- 
cgit v1.2.1