diff options
author | Hannes Rosenögger <123haynes@gmail.com> | 2015-04-14 17:02:17 +0200 |
---|---|---|
committer | Hannes Rosenögger <123haynes@gmail.com> | 2015-04-16 12:37:19 +0200 |
commit | 7bba2a19abca889ba439c74fbcc3e4d94f6f6760 (patch) | |
tree | 08c9ed39e70cce80cd810372aa6917b86a4eaab4 | |
parent | ed94cde2b2b920a38490919597dda7aa706dff62 (diff) | |
download | gitlab-ce-7bba2a19abca889ba439c74fbcc3e4d94f6f6760.tar.gz |
remove access control for images
This commit removes the access control for uploaded images.
This is needed to display the images in emails again.
-rw-r--r-- | app/controllers/projects/uploads_controller.rb | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb index 9020e86c44e..69d02affec2 100644 --- a/app/controllers/projects/uploads_controller.rb +++ b/app/controllers/projects/uploads_controller.rb @@ -1,7 +1,9 @@ class Projects::UploadsController < Projects::ApplicationController layout 'project' - before_filter :project + skip_before_filter :project, :repository, :authenticate_user!, only: [:show] + + before_filter :authorize_uploads, only: [:show] def create link_to_file = ::Projects::UploadService.new(project, params[:file]). @@ -21,15 +23,32 @@ class Projects::UploadsController < Projects::ApplicationController end def show - uploader = FileUploader.new(project, params[:secret]) + uploader = get_file + + return not_found! if uploader.nil? || !uploader.file.exists? + + disposition = uploader.image? ? 'inline' : 'attachment' + send_file uploader.file.path, disposition: disposition + end + + def get_file + namespace = params[:namespace_id] + id = params[:project_id] - return redirect_to uploader.url unless uploader.file_storage? + file_project = Project.find_with_namespace("#{namespace}/#{id}") + return nil if file_project.nil? + + uploader = FileUploader.new(file_project, params[:secret]) uploader.retrieve_from_store!(params[:filename]) - return not_found! unless uploader.file.exists? + uploader + end - disposition = uploader.image? ? 'inline' : 'attachment' - send_file uploader.file.path, disposition: disposition + def authorize_uploads + uploader = get_file + unless uploader && uploader.image? + project + end end end |