Correctly handle blocked users.

1 files changed, 14 insertions, 15 deletions

diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb
index 69d02affec2..c43d82f1288 100644
--- a/app/controllers/projects/uploads_controller.rb
+++ b/app/controllers/projects/uploads_controller.rb
@@ -1,9 +1,8 @@
 class Projects::UploadsController < Projects::ApplicationController
   layout 'project'
 
-  skip_before_filter :project, :repository, :authenticate_user!, only: [:show]
-
-  before_filter :authorize_uploads, only: [:show]
+  skip_before_filter :authenticate_user!, :reject_blocked!, :project, :repository, only: [:show]
+  before_filter :authenticate_user!, :reject_blocked!, :project, :repository, only: [:show], unless: :image?
 
   def create
     link_to_file = ::Projects::UploadService.new(project, params[:file]).
@@ -23,32 +22,32 @@ class Projects::UploadsController < Projects::ApplicationController
   end
 
   def show
-    uploader = get_file
-    
     return not_found! if uploader.nil? || !uploader.file.exists?
 
     disposition = uploader.image? ? 'inline' : 'attachment'
     send_file uploader.file.path, disposition: disposition
   end
 
-  def get_file
+  def uploader
+    return @uploader if defined?(@uploader)
+
     namespace = params[:namespace_id]
     id = params[:project_id]
 
     file_project = Project.find_with_namespace("#{namespace}/#{id}")
 
-    return nil if file_project.nil?
+    if file_project.nil?
+      @uploader = nil 
+      return
+    end
 
-    uploader = FileUploader.new(file_project, params[:secret])
-    uploader.retrieve_from_store!(params[:filename])
+    @uploader = FileUploader.new(file_project, params[:secret])
+    @uploader.retrieve_from_store!(params[:filename])
 
-    uploader
+    @uploader
   end
 
-  def authorize_uploads
-    uploader = get_file
-    unless uploader && uploader.image?
-      project
-    end
+  def image?
+    uploader && uploader.file.exists? && uploader.image?
   end
 end