Ensure private project snippets are not viewable by unauthorized people

Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/14607.
author: Rémy Coutable <remy@rymai.me> 2016-03-25 14:31:43 +0300
committer: Rémy Coutable <remy@rymai.me> 2016-03-25 14:33:42 +0300
commit: f4bdefdff1861c0d0e2e6ae3418be969c2600b5f (patch)
tree: 1b1ae954e494d3dcfda2c82f77cdfeab391f83e4 /app/controllers/projects/snippets_controller.rb
parent: 63c8a05bf7f18ac4093ece1f08b4b5fd8dba5fac (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/projects/snippets_controller.rb b/app/controllers/projects/snippets_controller.rb
index b578b419a46..383b86b68e0 100644
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@@ -3,7 +3,7 @@ class Projects::SnippetsController < Projects::ApplicationController
   before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]
 
   # Allow read any snippet
-  before_action :authorize_read_project_snippet!
+  before_action :authorize_read_project_snippet!, except: [:index]
 
   # Allow write(create) snippet
   before_action :authorize_create_project_snippet!, only: [:new, :create]
@@ -81,6 +81,10 @@ class Projects::SnippetsController < Projects::ApplicationController
     @snippet ||= @project.snippets.find(params[:id])
   end
 
+  def authorize_read_project_snippet!
+    return render_404 unless can?(current_user, :read_project_snippet, @snippet)
+  end
+
   def authorize_update_project_snippet!
     return render_404 unless can?(current_user, :update_project_snippet, @snippet)
   end
author	Rémy Coutable <remy@rymai.me>	2016-03-25 14:31:43 +0300
committer	Rémy Coutable <remy@rymai.me>	2016-03-25 14:33:42 +0300
commit	f4bdefdff1861c0d0e2e6ae3418be969c2600b5f (patch)
tree	1b1ae954e494d3dcfda2c82f77cdfeab391f83e4 /app/controllers/projects/snippets_controller.rb
parent	63c8a05bf7f18ac4093ece1f08b4b5fd8dba5fac (diff)