1 files changed, 16 insertions, 4 deletions

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 060b09f015c..47f9921a03b 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -41,7 +41,11 @@ class UploadsController < ApplicationController
       when Note
         can?(current_user, :read_project, model.project)
       when User
-        true
+        # We validate the current user has enough (writing)
+        # access to itself when a secret is given.
+        # For instance, user avatars are readable by anyone,
+        # while temporary, user snippet uploads are not.
+        !secret? || can?(current_user, :update_user, model)
       when Appearance
         true
       else
@@ -56,9 +60,13 @@ class UploadsController < ApplicationController
   def authorize_create_access!
     return unless model
 
-    # for now we support only personal snippets comments. Only personal_snippet
-    # is allowed as a model to #create through routing.
-    authorized = can?(current_user, :create_note, model)
+    authorized =
+      case model
+      when User
+        can?(current_user, :update_user, model)
+      else
+        can?(current_user, :create_note, model)
+      end
 
     render_unauthorized unless authorized
   end
@@ -75,6 +83,10 @@ class UploadsController < ApplicationController
     User === model || Appearance === model
   end
 
+  def secret?
+    params[:secret].present?
+  end
+
   def upload_model_class
     MODEL_CLASSES[params[:model]] || raise(UnknownUploadModelError)
   end