diff options
Diffstat (limited to 'app/controllers/uploads_controller.rb')
-rw-r--r-- | app/controllers/uploads_controller.rb | 45 |
1 files changed, 22 insertions, 23 deletions
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index d7eb3ccd274..4df0ef78907 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -40,30 +40,29 @@ class UploadsController < ApplicationController upload_model_class.find(params[:id]) end - def authorize_access! - authorized = - case model - when Note - can?(current_user, :read_project, model.project) - when Snippet, ProjectSnippet - can?(current_user, :read_snippet, model) - when User - # We validate the current user has enough (writing) - # access to itself when a secret is given. - # For instance, user avatars are readable by anyone, - # while temporary, user snippet uploads are not. - !secret? || can?(current_user, :update_user, model) - when Appearance - true - when Projects::Topic - true - else - permission = "read_#{model.class.underscore}".to_sym - - can?(current_user, permission, model) - end + def authorized? + case model + when Note + can?(current_user, :read_project, model.project) + when Snippet, ProjectSnippet + can?(current_user, :read_snippet, model) + when User + # We validate the current user has enough (writing) + # access to itself when a secret is given. + # For instance, user avatars are readable by anyone, + # while temporary, user snippet uploads are not. + !secret? || can?(current_user, :update_user, model) + when Appearance + true + when Projects::Topic + true + else + can?(current_user, "read_#{model.class.underscore}".to_sym, model) + end + end - render_unauthorized unless authorized + def authorize_access! + render_unauthorized unless authorized? end def authorize_create_access! |