From d9ec830a8348fca93775c5f0b1f81a83e8c4f95a Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Tue, 25 Apr 2017 14:41:26 +0000
Subject: Merge branch 'snippets_visibility' into 'security'

Fix snippets visibility for show action - external users can not see internal snippets

See merge request !2087
---
 app/controllers/snippets_controller.rb | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'app/controllers/snippets_controller.rb')

diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 19e07e3ab86..656a365b701 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -103,20 +103,20 @@ class SnippetsController < ApplicationController
   protected
 
   def snippet
-    @snippet ||= if current_user
-                   PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
-                     current_user.id,
-                     [Snippet::PUBLIC, Snippet::INTERNAL]).
-                     find(params[:id])
-                 else
-                   PersonalSnippet.find(params[:id])
-                 end
+    @snippet ||= PersonalSnippet.find_by(id: params[:id])
   end
+
   alias_method :awardable, :snippet
   alias_method :spammable, :snippet
 
   def authorize_read_snippet!
-    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+    return if can?(current_user, :read_personal_snippet, @snippet)
+
+    if current_user
+      render_404
+    else
+      authenticate_user!
+    end
   end
 
   def authorize_update_snippet!
-- 
cgit v1.2.3