Ensure project snippets have their own access level

1 files changed, 31 insertions, 15 deletions

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 5f326729433..c0bf6def7c5 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -348,24 +348,22 @@ class Ability
       end
     end
 
-    [:note, :project_snippet].each do |name|
-      define_method "#{name}_abilities" do |user, subject|
-        rules = []
-
-        if subject.author == user
-          rules += [
-            :"read_#{name}",
-            :"update_#{name}",
-            :"admin_#{name}"
-          ]
-        end
+    def note_abilities(user, note)
+      rules = []
 
-        if subject.respond_to?(:project) && subject.project
-          rules += project_abilities(user, subject.project)
-        end
+      if note.author == user
+        rules += [
+          :read_note,
+          :update_note,
+          :admin_note
+        ]
+      end
 
-        rules
+      if note.respond_to?(:project) && note.project
+        rules += project_abilities(user, note.project)
       end
+
+      rules
     end
 
     def personal_snippet_abilities(user, snippet)
@@ -386,6 +384,24 @@ class Ability
       rules
     end
 
+    def project_snippet_abilities(user, snippet)
+      rules = []
+
+      if snippet.author == user || user.admin?
+        rules += [
+          :read_project_snippet,
+          :update_project_snippet,
+          :admin_project_snippet
+        ]
+      end
+
+      if snippet.public? || (snippet.internal? && !user.external?) || (snippet.private? && snippet.project.team.member?(user))
+        rules << :read_project_snippet
+      end
+
+      rules
+    end
+
     def group_member_abilities(user, subject)
       rules = []
       target_user = subject.user