diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-06-14 13:39:01 +0400 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-06-14 13:39:01 +0400 |
commit | 87fd342a2317567f7854570dd5624dd64dffebd4 (patch) | |
tree | f61e94d900124811fdc88a57daa4ffe2dabf8b07 /app | |
parent | 2af8ace1dc49e5ff59be01c2063139a3244b9cee (diff) | |
parent | 47d6f70528dd4b41739c0a6767f74a8a40d9aaaa (diff) |
Merge branch 'more-secure-api' into 'master'
More secure api
Dont expose user email via API. Fixes #1314
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/project_users_select.js.coffee | 8 | ||||
-rw-r--r-- | app/assets/javascripts/users_select.js.coffee | 8 | ||||
-rw-r--r-- | app/controllers/application_controller.rb | 3 | ||||
-rw-r--r-- | app/helpers/application_helper.rb | 18 | ||||
-rw-r--r-- | app/models/user.rb | 8 | ||||
-rw-r--r-- | app/services/gravatar_service.rb | 28 |
6 files changed, 49 insertions, 24 deletions
diff --git a/app/assets/javascripts/project_users_select.js.coffee b/app/assets/javascripts/project_users_select.js.coffee index 382f9b37992..cfbcd5108c8 100644 --- a/app/assets/javascripts/project_users_select.js.coffee +++ b/app/assets/javascripts/project_users_select.js.coffee @@ -37,13 +37,9 @@ projectUserFormatResult: (user) -> if user.avatar_url - avatar = gon.relative_url_root + user.avatar_url - else if gon.gravatar_enabled - avatar = gon.gravatar_url - avatar = avatar.replace('%{hash}', md5(user.email)) - avatar = avatar.replace('%{size}', '24') + avatar = user.avatar_url else - avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}" + avatar = gon.default_avatar_url if user.id == '' avatarMarkup = '' diff --git a/app/assets/javascripts/users_select.js.coffee b/app/assets/javascripts/users_select.js.coffee index da66a4ba7f2..86318bd7d94 100644 --- a/app/assets/javascripts/users_select.js.coffee +++ b/app/assets/javascripts/users_select.js.coffee @@ -1,13 +1,9 @@ $ -> userFormatResult = (user) -> if user.avatar_url - avatar = gon.relative_url_root + user.avatar_url - else if gon.gravatar_enabled - avatar = gon.gravatar_url - avatar = avatar.replace('%{hash}', md5(user.email)) - avatar = avatar.replace('%{size}', '24') + avatar = user.avatar_url else - avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}" + avatar = gon.default_avatar_url "<div class='user-result'> <div class='user-image'><img class='avatar s24' src='#{avatar}'></div> diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 685d41a5520..603e89a5e29 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base def add_gon_variables gon.default_issues_tracker = Project.issues_tracker.default_value gon.api_version = API::API.version - gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url gon.relative_url_root = Gitlab.config.gitlab.relative_url_root - gon.gravatar_enabled = Gitlab.config.gravatar.enabled + gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s if current_user gon.current_user_id = current_user.id diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 13120d2e581..c3d89eb1b82 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -60,23 +60,21 @@ module ApplicationHelper def avatar_icon(user_email = '', size = nil) user = User.find_by(email: user_email) - if user && user.avatar.present? - user.avatar.url + + if user + user.avatar_url(size) || default_avatar else gravatar_icon(user_email, size) end end def gravatar_icon(user_email = '', size = nil) - size = 40 if size.nil? || size <= 0 + GravatarService.new.execute(user_email, size) || + default_avatar + end - if !Gitlab.config.gravatar.enabled || user_email.blank? - image_path('no_avatar.png') - else - gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url - user_email.strip! - sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email - end + def default_avatar + image_path('no_avatar.png') end def last_commit(project) diff --git a/app/models/user.rb b/app/models/user.rb index 0fbc9284dd8..2352f8c050b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -482,4 +482,12 @@ class User < ActiveRecord::Base def public_profile? authorized_projects.public_only.any? end + + def avatar_url(size = nil) + if avatar.present? + URI::join(Gitlab.config.gitlab.url, avatar.url).to_s + else + GravatarService.new.execute(email, size) + end + end end diff --git a/app/services/gravatar_service.rb b/app/services/gravatar_service.rb new file mode 100644 index 00000000000..a69c7c78377 --- /dev/null +++ b/app/services/gravatar_service.rb @@ -0,0 +1,28 @@ +class GravatarService + def execute(email, size = nil) + if gravatar_config.enabled && email.present? + size = 40 if size.nil? || size <= 0 + + sprintf gravatar_url, + hash: Digest::MD5.hexdigest(email.strip.downcase), + size: size, + email: email.strip + end + end + + def gitlab_config + Gitlab.config.gitlab + end + + def gravatar_config + Gitlab.config.gravatar + end + + def gravatar_url + if gitlab_config.https + gravatar_config.ssl_url + else + gravatar_config.plain_url + end + end +end |