Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2023-01-07 01:30:41 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2023-01-07 01:30:46 +0300
commite7d881a27db3902b5c355f960a070d7789e938fc (patch)
treefef9ebf5ce6a7aa2b3e159b71b7e89603b9598e9
parenta4a2a5fb31c918d043a5037437dcbd0a797e7ea5 (diff)
Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee
Diffstat
-rw-r--r--app/controllers/uploads_controller.rb2
-rw-r--r--spec/controllers/uploads_controller_spec.rb32
2 files changed, 27 insertions, 7 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 09419a4589d..66f715f32af 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -52,6 +52,8 @@ class UploadsController < ApplicationController
# access to itself when a secret is given.
# For instance, user avatars are readable by anyone,
# while temporary, user snippet uploads are not.
+ return false if !current_user && public_visibility_restricted?
+
!secret? || can?(current_user, :update_user, model)
when Appearance
true
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index e128db8d1c1..3e9c56d3274 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -268,17 +268,35 @@ RSpec.describe UploadsController do
end
context "when not signed in" do
- it "responds with status 200" do
- get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+ context "when restricted visibility level is not set to public" do
+ before do
+ stub_application_setting(restricted_visibility_levels: [])
+ end
- expect(response).to have_gitlab_http_status(:ok)
+ it "responds with status 200" do
+ get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+
+ it_behaves_like 'content publicly cached' do
+ subject do
+ get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
+
+ response
+ end
+ end
end
- it_behaves_like 'content publicly cached' do
- subject do
- get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
+ context "when restricted visibility level is set to public" do
+ before do
+ stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+ end
- response
+ it "responds with status 401" do
+ get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 06:39:14 +0300