From 084b7edb17d25a3d43526cca560569dd82c5c09d Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Wed, 19 Dec 2018 14:15:58 +0100
Subject: Do not expose trigger token when user should not see it

---
 app/controllers/projects/triggers_controller.rb |  7 +++----
 app/models/ci/trigger.rb                        |  1 +
 app/presenters/ci/trigger_presenter.rb          | 19 +++++++++++++++++++
 app/views/projects/triggers/_trigger.html.haml  |  2 +-
 4 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 app/presenters/ci/trigger_presenter.rb

(limited to 'app')

diff --git a/app/controllers/projects/triggers_controller.rb b/app/controllers/projects/triggers_controller.rb
index f5fdfb8accc..c7b4ebb2b24 100644
--- a/app/controllers/projects/triggers_controller.rb
+++ b/app/controllers/projects/triggers_controller.rb
@@ -66,12 +66,11 @@ class Projects::TriggersController < Projects::ApplicationController
   end
 
   def trigger
-    @trigger ||= project.triggers.find(params[:id]) || render_404
+    @trigger ||= project.triggers.find(params[:id])
+      .present(current_user: current_user)
   end
 
   def trigger_params
-    params.require(:trigger).permit(
-      :description
-    )
+    params.require(:trigger).permit(:description)
   end
 end
diff --git a/app/models/ci/trigger.rb b/app/models/ci/trigger.rb
index 55db42162ca..3a9cdfcc35e 100644
--- a/app/models/ci/trigger.rb
+++ b/app/models/ci/trigger.rb
@@ -4,6 +4,7 @@ module Ci
   class Trigger < ActiveRecord::Base
     extend Gitlab::Ci::Model
     include IgnorableColumn
+    include Presentable
 
     ignore_column :deleted_at
 
diff --git a/app/presenters/ci/trigger_presenter.rb b/app/presenters/ci/trigger_presenter.rb
new file mode 100644
index 00000000000..605c8f328a4
--- /dev/null
+++ b/app/presenters/ci/trigger_presenter.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Ci
+  class TriggerPresenter < Gitlab::View::Presenter::Delegated
+    presents :trigger
+
+    def has_token_exposed?
+      can?(current_user, :admin_trigger, trigger)
+    end
+
+    def token
+      if has_token_exposed?
+        trigger.token
+      else
+        trigger.short_token
+      end
+    end
+  end
+end
diff --git a/app/views/projects/triggers/_trigger.html.haml b/app/views/projects/triggers/_trigger.html.haml
index 7e4618e1a88..6f6f1e5e0c5 100644
--- a/app/views/projects/triggers/_trigger.html.haml
+++ b/app/views/projects/triggers/_trigger.html.haml
@@ -1,6 +1,6 @@
 %tr
   %td
-    - if can?(current_user, :admin_trigger, trigger)
+    - if trigger.has_token_exposed?
       %span= trigger.token
       = clipboard_button(text: trigger.token, title: "Copy trigger token to clipboard")
     - else
-- 
cgit v1.2.3