diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:42:33 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:42:33 +0300 |
commit | 61ba82ab35a1a8b553e05036b88fd5b959d9a7f0 (patch) | |
tree | 057c44abdc2ba867c1b875c123dbd5ea525e61e4 /app | |
parent | 6075354ae38bf184d4908724b8e514a0377e92eb (diff) | |
parent | 0ef5f554d1a63362b87f00e10fa517d63c28c6a4 (diff) |
Merge branch 'security-personal-snippets-12-1' into '12-1-stable'
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3358
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/concerns/uploads_actions.rb | 4 | ||||
-rw-r--r-- | app/controllers/uploads_controller.rb | 6 | ||||
-rw-r--r-- | app/uploaders/personal_file_uploader.rb | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index f5d35379e10..60a68cec3c3 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -127,4 +127,8 @@ module UploadsActions def model strong_memoize(:model) { find_model } end + + def workhorse_authorize_request? + action_name == 'authorize' + end end diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 94bd18f70d4..2adfeab182e 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -2,6 +2,7 @@ class UploadsController < ApplicationController include UploadsActions + include WorkhorseRequest UnknownUploadModelError = Class.new(StandardError) @@ -21,7 +22,8 @@ class UploadsController < ApplicationController before_action :upload_mount_satisfied? before_action :find_model before_action :authorize_access!, only: [:show] - before_action :authorize_create_access!, only: [:create] + before_action :authorize_create_access!, only: [:create, :authorize] + before_action :verify_workhorse_api!, only: [:authorize] def uploader_class PersonalFileUploader @@ -72,7 +74,7 @@ class UploadsController < ApplicationController end def render_unauthorized - if current_user + if current_user || workhorse_authorize_request? render_404 else authenticate_user! diff --git a/app/uploaders/personal_file_uploader.rb b/app/uploaders/personal_file_uploader.rb index 1ac69601d18..3efdd0aa1d9 100644 --- a/app/uploaders/personal_file_uploader.rb +++ b/app/uploaders/personal_file_uploader.rb @@ -6,6 +6,10 @@ class PersonalFileUploader < FileUploader options.storage_path end + def self.workhorse_local_upload_path + File.join(options.storage_path, 'uploads', TMP_UPLOAD_PATH) + end + def self.base_dir(model, _store = nil) # base_dir is the path seen by the user when rendering Markdown, so # it should be the same for both local and object storage. It is |