Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/controllers/snippets_controller.rb
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2017-04-25 17:41:26 +0300
committerBob Van Landuyt <bob@gitlab.com>2017-05-10 17:44:20 +0300
commitd9ec830a8348fca93775c5f0b1f81a83e8c4f95a (patch)
tree2c3949ca2f22bc195bb54a96fee5ac0971c6f745 /app/controllers/snippets_controller.rb
parent9ae401cf91c9d545602b9aa86afcd306fc6e3467 (diff)
Merge branch 'snippets_visibility' into 'security'
Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087
Diffstat (limited to 'app/controllers/snippets_controller.rb')
-rw-r--r--app/controllers/snippets_controller.rb18
1 files changed, 9 insertions, 9 deletions
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 19e07e3ab86..656a365b701 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -103,20 +103,20 @@ class SnippetsController < ApplicationController
protected
def snippet
- @snippet ||= if current_user
- PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
- current_user.id,
- [Snippet::PUBLIC, Snippet::INTERNAL]).
- find(params[:id])
- else
- PersonalSnippet.find(params[:id])
- end
+ @snippet ||= PersonalSnippet.find_by(id: params[:id])
end
+
alias_method :awardable, :snippet
alias_method :spammable, :snippet
def authorize_read_snippet!
- authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+ return if can?(current_user, :read_personal_snippet, @snippet)
+
+ if current_user
+ render_404
+ else
+ authenticate_user!
+ end
end
def authorize_update_snippet!
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 07:42:11 +0300