Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Tatuya Kamada
gitlab-ce
Commits
f5e42f60
Commit
f5e42f60
authored
Mar 10, 2015
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Reject access to group/project avatar if the user doesn't have access.
parent
e0caed91
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
329 additions
and
16 deletions
+329
-16
CHANGELOG
CHANGELOG
+1
-0
app/controllers/uploads_controller.rb
app/controllers/uploads_controller.rb
+32
-16
spec/controllers/uploads_controller_spec.rb
spec/controllers/uploads_controller_spec.rb
+296
-0
No files found.
CHANGELOG
View file @
f5e42f60
...
@@ -35,6 +35,7 @@ v 7.9.0 (unreleased)
...
@@ -35,6 +35,7 @@ v 7.9.0 (unreleased)
- Move groups page from profile to dashboard
- Move groups page from profile to dashboard
- Starred projects page at dashboard
- Starred projects page at dashboard
- Blocking user does not remove him/her from project/groups but show blocked label
- Blocking user does not remove him/her from project/groups but show blocked label
- Reject access to group/project avatar if the user doesn't have access.
v 7.8.2
v 7.8.2
- Fix service migration issue when upgrading from versions prior to 7.3
- Fix service migration issue when upgrading from versions prior to 7.3
...
...
app/controllers/uploads_controller.rb
View file @
f5e42f60
class
UploadsController
<
ApplicationController
class
UploadsController
<
ApplicationController
skip_before_filter
:authenticate_user!
,
:reject_blocked!
skip_before_filter
:authenticate_user!
before_filter
:
authorize_access
before_filter
:
find_model
,
:authorize_access!
def
show
def
show
unless
upload_model
&&
upload_mount
uploader
=
@model
.
send
(
upload_mount
)
return
not_found!
end
model
=
upload_model
.
find
(
params
[
:id
])
uploader
=
model
.
send
(
upload_mount
)
if
model
.
respond_to?
(
:project
)
&&
!
can?
(
current_user
,
:read_project
,
model
.
project
)
return
not_found!
end
unless
uploader
.
file_storage?
unless
uploader
.
file_storage?
return
redirect_to
uploader
.
url
return
redirect_to
uploader
.
url
end
end
unless
uploader
.
file
.
exists?
unless
uploader
.
file
&&
uploader
.
file
.
exists?
return
not_found!
return
not_found!
end
end
...
@@ -28,9 +19,34 @@ class UploadsController < ApplicationController
...
@@ -28,9 +19,34 @@ class UploadsController < ApplicationController
private
private
def
authorize_access
def
find_model
unless
params
[
:mounted_as
]
==
'avatar'
unless
upload_model
&&
upload_mount
authenticate_user!
&&
reject_blocked!
return
not_found!
end
@model
=
upload_model
.
find
(
params
[
:id
])
end
def
authorize_access!
authorized
=
case
@model
when
Project
can?
(
current_user
,
:read_project
,
@model
)
when
Group
can?
(
current_user
,
:read_group
,
@model
)
when
Note
can?
(
current_user
,
:read_project
,
@model
.
project
)
else
# No authentication required for user avatars.
true
end
return
if
authorized
if
current_user
not_found!
else
authenticate_user!
end
end
end
end
...
...
spec/controllers/uploads_controller_spec.rb
0 → 100644
View file @
f5e42f60
require
'spec_helper'
describe
UploadsController
do
let!
(
:user
)
{
create
(
:user
,
avatar:
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"image/png"
))
}
describe
"GET show"
do
context
"when viewing a user avatar"
do
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when the user is blocked"
do
before
do
user
.
block
end
it
"redirects to the sign in page"
do
get
:show
,
model:
"user"
,
mounted_as:
"avatar"
,
id:
user
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when the user isn't blocked"
do
it
"responds with status 200"
do
get
:show
,
model:
"user"
,
mounted_as:
"avatar"
,
id:
user
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when not signed in"
do
it
"responds with status 200"
do
get
:show
,
model:
"user"
,
mounted_as:
"avatar"
,
id:
user
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when viewing a project avatar"
do
let!
(
:project
)
{
create
(
:project
,
avatar:
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"image/png"
))
}
context
"when the project is public"
do
before
do
project
.
update_attribute
(
:visibility_level
,
Project
::
PUBLIC
)
end
context
"when not signed in"
do
it
"responds with status 200"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
it
"responds with status 200"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the project is private"
do
before
do
project
.
update_attribute
(
:visibility_level
,
Project
::
PRIVATE
)
end
context
"when not signed in"
do
it
"redirects to the sign in page"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when the user has access to the project"
do
before
do
project
.
team
<<
[
user
,
:master
]
end
context
"when the user is blocked"
do
before
do
user
.
block
project
.
team
<<
[
user
,
:master
]
end
it
"redirects to the sign in page"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when the user isn't blocked"
do
it
"responds with status 200"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the user doesn't have access to the project"
do
it
"responds with status 404"
do
get
:show
,
model:
"project"
,
mounted_as:
"avatar"
,
id:
project
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
end
context
"when viewing a group avatar"
do
let!
(
:group
)
{
create
(
:group
,
avatar:
fixture_file_upload
(
Rails
.
root
+
"spec/fixtures/dk.png"
,
"image/png"
))
}
let!
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
context
"when the group has public projects"
do
before
do
project
.
update_attribute
(
:visibility_level
,
Project
::
PUBLIC
)
end
context
"when not signed in"
do
it
"responds with status 200"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
it
"responds with status 200"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the project doesn't have public projects"
do
context
"when not signed in"
do
it
"redirects to the sign in page"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when the user has access to the project"
do
before
do
project
.
team
<<
[
user
,
:master
]
end
context
"when the user is blocked"
do
before
do
user
.
block
project
.
team
<<
[
user
,
:master
]
end
it
"redirects to the sign in page"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when the user isn't blocked"
do
it
"responds with status 200"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the user doesn't have access to the project"
do
it
"responds with status 404"
do
get
:show
,
model:
"group"
,
mounted_as:
"avatar"
,
id:
group
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
end
context
"when viewing a note attachment"
do
let!
(
:note
)
{
create
(
:note
,
:with_attachment
)
}
let
(
:project
)
{
note
.
project
}
context
"when the project is public"
do
before
do
project
.
update_attribute
(
:visibility_level
,
Project
::
PUBLIC
)
end
context
"when not signed in"
do
it
"responds with status 200"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
it
"responds with status 200"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the project is private"
do
before
do
project
.
update_attribute
(
:visibility_level
,
Project
::
PRIVATE
)
end
context
"when not signed in"
do
it
"redirects to the sign in page"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when the user has access to the project"
do
before
do
project
.
team
<<
[
user
,
:master
]
end
context
"when the user is blocked"
do
before
do
user
.
block
project
.
team
<<
[
user
,
:master
]
end
it
"redirects to the sign in page"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when the user isn't blocked"
do
it
"responds with status 200"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
200
)
end
end
end
context
"when the user doesn't have access to the project"
do
it
"responds with status 404"
do
get
:show
,
model:
"note"
,
mounted_as:
"attachment"
,
id:
note
.
id
,
filename:
"image.png"
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment