diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-07 01:30:08 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-07 01:30:24 +0300 |
commit | b9b8440df6afd24ba540343c612e522f52bea0db (patch) | |
tree | aecce7c15523692907d333edeb7c4f1a6d1044fc /app/controllers | |
parent | e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/uploads_controller.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 09419a4589d..66f715f32af 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -52,6 +52,8 @@ class UploadsController < ApplicationController # access to itself when a secret is given. # For instance, user avatars are readable by anyone, # while temporary, user snippet uploads are not. + return false if !current_user && public_visibility_restricted? + !secret? || can?(current_user, :update_user, model) when Appearance true |