Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-07 01:30:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-01-07 01:30:24 +0300
commit: b9b8440df6afd24ba540343c612e522f52bea0db (patch)
tree: aecce7c15523692907d333edeb7c4f1a6d1044fc /app/controllers
parent: e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 09419a4589d..66f715f32af 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -52,6 +52,8 @@ class UploadsController < ApplicationController
       # access to itself when a secret is given.
       # For instance, user avatars are readable by anyone,
       # while temporary, user snippet uploads are not.
+      return false if !current_user && public_visibility_restricted?
+
       !secret? || can?(current_user, :update_user, model)
     when Appearance
       true
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-07 01:30:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-01-07 01:30:24 +0300
commit	b9b8440df6afd24ba540343c612e522f52bea0db (patch)
tree	aecce7c15523692907d333edeb7c4f1a6d1044fc /app/controllers
parent	e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff)