diff options
| author | Ash McKenzie <amckenzie@gitlab.com> | 2018-06-10 22:56:17 +1000 |
|---|---|---|
| committer | Ash McKenzie <amckenzie@gitlab.com> | 2018-06-13 12:11:38 +1000 |
| commit | 2f297034036055aaf37f86ece22723aedf8741bf (patch) | |
| tree | 731fab3c82dd23d63ba9b89ad101d11e409d2fe0 /app/controllers | |
| parent | f646a8b9bc95fd6cecaa754f7dd0e8370c201502 (diff) | |
| download | gitlab-ce-ash.mckenzie/secret-snippets.tar.gz | |
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/concerns/snippets_url.rb | 39 | ||||
| -rw-r--r-- | app/controllers/snippets_controller.rb | 10 |
2 files changed, 44 insertions, 5 deletions
diff --git a/app/controllers/concerns/snippets_url.rb b/app/controllers/concerns/snippets_url.rb new file mode 100644 index 00000000000..e79b7194b27 --- /dev/null +++ b/app/controllers/concerns/snippets_url.rb @@ -0,0 +1,39 @@ +module SnippetsUrl + extend ActiveSupport::Concern + + private + + attr_reader :snippet + + def authorize_secret_snippet! + if snippet.secret? + return if params[:secret] == snippet.secret_word + + return render_404 + end + + current_user ? render_404 : authenticate_user! + end + + def ensure_complete_url + redirect_to complete_url unless url_contains_secret? + end + + def url_contains_secret? + request.query_parameters['secret'] == snippet.secret_word + end + + def complete_url + @complete_url ||= begin + url = current_url + query_hash = Rack::Utils.parse_nested_query(url.query) + query_hash['secret'] = snippet.secret_word + url.query = query_hash.to_query + url.to_s + end + end + + def current_url + @current_url ||= URI.parse(request.original_url) + end +end diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index 3d51520ddf4..890614c0e28 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -3,6 +3,7 @@ class SnippetsController < ApplicationController include ToggleAwardEmoji include SpammableActions include SnippetsActions + include SnippetsUrl include RendersBlob include PreviewMarkdown @@ -13,6 +14,9 @@ class SnippetsController < ApplicationController # Allow read snippet before_action :authorize_read_snippet!, only: [:show, :raw] + # Ensure we're displaying the correct url, specifically for secret snippets + before_action :ensure_complete_url, only: [:show, :raw] + # Allow modify snippet before_action :authorize_update_snippet!, only: [:edit, :update] @@ -108,11 +112,7 @@ class SnippetsController < ApplicationController def authorize_read_snippet! return if can?(current_user, :read_personal_snippet, @snippet) - if current_user - render_404 - else - authenticate_user! - end + authorize_secret_snippet! end def authorize_update_snippet! |