Per project protection

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-02-15 09:51:21 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-02-15 09:51:21 +0200
commit: f6cc71bc36283223a10f3004121be34f06547d94 (patch)
tree: dba91224d9aaed64018fc7a1b763212ea08e27e1 /app/controllers/files_controller.rb
parent: 4821aa6c251a1a2eb4f1fac7bf0f2897a435b48b (diff)
download: gitlab-ce-f6cc71bc36283223a10f3004121be34f06547d94.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
index 09f1e5512d6..3cd2e77322c 100644
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@@ -1,7 +1,13 @@
 class FilesController < ApplicationController
   def download
-    uploader = Note.find(params[:id]).attachment
-    send_file uploader.file.path, disposition: 'attachment'
+    note = Note.find(params[:id])
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
+      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
   end
 end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-02-15 09:51:21 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-02-15 09:51:21 +0200
commit	f6cc71bc36283223a10f3004121be34f06547d94 (patch)
tree	dba91224d9aaed64018fc7a1b763212ea08e27e1 /app/controllers/files_controller.rb
parent	4821aa6c251a1a2eb4f1fac7bf0f2897a435b48b (diff)
download	gitlab-ce-f6cc71bc36283223a10f3004121be34f06547d94.tar.gz