Merge branch 'snippets_visibility' into 'security'

Fix snippets visibility for show action - external users can not see internal snippets

See merge request !2087

app/controllers/snippets_controller.rb

@@ -103,20 +103,20 @@ class SnippetsController < ApplicationController
   protected
 
   def snippet
-    @snippet ||= if current_user
-                   PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
-                     current_user.id,
-                     [Snippet::PUBLIC, Snippet::INTERNAL]).
-                     find(params[:id])
-                 else
-                   PersonalSnippet.find(params[:id])
-                 end
+    @snippet ||= PersonalSnippet.find_by(id: params[:id])
   end
+
   alias_method :awardable, :snippet
   alias_method :spammable, :snippet
 
   def authorize_read_snippet!
-    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+    return if can?(current_user, :read_personal_snippet, @snippet)
+
+    if current_user
+      render_404
+    else
+      authenticate_user!
+    end
   end
 
   def authorize_update_snippet!

changelogs/unreleased/snippets_visibility.yml

+---
+title: Fix snippets visibility for show action - external users can not see internal snippets
+merge_request:
+author:

spec/controllers/snippets_controller_spec.rb

@@ -132,7 +132,7 @@ describe SnippetsController do
         it 'responds with status 404' do
           get :show, id: 'doesntexist'
 
-          expect(response).to have_http_status(404)
+          expect(response).to redirect_to(new_user_session_path)
         end
       end
     end
@@ -478,10 +478,10 @@ describe SnippetsController do
       end
 
       context 'when not signed in' do
-        it 'responds with status 404' do
+        it 'redirects to the sign in path' do
           get :raw, id: 'doesntexist'
 
-          expect(response).to have_http_status(404)
+          expect(response).to redirect_to(new_user_session_path)
         end
       end
     end

spec/features/snippets/internal_snippet_spec.rb

+require 'rails_helper'
+
+feature 'Internal Snippets', feature: true, js: true do
+  let(:internal_snippet) { create(:personal_snippet, :internal) }
+
+  describe 'normal user' do
+    before do
+      login_as :user
+    end
+
+    scenario 'sees internal snippets' do
+      visit snippet_path(internal_snippet)
+
+      expect(page).to have_content(internal_snippet.content)
+    end
+
+    scenario 'sees raw internal snippets' do
+      visit raw_snippet_path(internal_snippet)
+
+      expect(page).to have_content(internal_snippet.content)
+    end
+  end
+end