diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:22 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:22 +0300 |
| commit | 34c2b6adf9966ac7ad9a9e699211a6074af13fbc (patch) | |
| tree | 1325c567fbaec574402f55e653dec252c7eddcd1 /app | |
| parent | 170cb8bc1828b80019fa45e48bc37161973e7a0e (diff) | |
| parent | 41d52bbfe9725a93013ea6b072efcdc16e591b14 (diff) | |
Merge branch 'security-personal-snippets' into 'master'
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3226
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/concerns/uploads_actions.rb | 4 | ||||
| -rw-r--r-- | app/controllers/uploads_controller.rb | 6 | ||||
| -rw-r--r-- | app/uploaders/personal_file_uploader.rb | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index f5d35379e10..60a68cec3c3 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -127,4 +127,8 @@ module UploadsActions def model strong_memoize(:model) { find_model } end + + def workhorse_authorize_request? + action_name == 'authorize' + end end diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 94bd18f70d4..2adfeab182e 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -2,6 +2,7 @@ class UploadsController < ApplicationController include UploadsActions + include WorkhorseRequest UnknownUploadModelError = Class.new(StandardError) @@ -21,7 +22,8 @@ class UploadsController < ApplicationController before_action :upload_mount_satisfied? before_action :find_model before_action :authorize_access!, only: [:show] - before_action :authorize_create_access!, only: [:create] + before_action :authorize_create_access!, only: [:create, :authorize] + before_action :verify_workhorse_api!, only: [:authorize] def uploader_class PersonalFileUploader @@ -72,7 +74,7 @@ class UploadsController < ApplicationController end def render_unauthorized - if current_user + if current_user || workhorse_authorize_request? render_404 else authenticate_user! diff --git a/app/uploaders/personal_file_uploader.rb b/app/uploaders/personal_file_uploader.rb index 1ac69601d18..3efdd0aa1d9 100644 --- a/app/uploaders/personal_file_uploader.rb +++ b/app/uploaders/personal_file_uploader.rb @@ -6,6 +6,10 @@ class PersonalFileUploader < FileUploader options.storage_path end + def self.workhorse_local_upload_path + File.join(options.storage_path, 'uploads', TMP_UPLOAD_PATH) + end + def self.base_dir(model, _store = nil) # base_dir is the path seen by the user when rendering Markdown, so # it should be the same for both local and object storage. It is |