diff options
| author | Oswaldo Ferreira <oswaldo@gitlab.com> | 2019-06-04 20:50:57 -0300 |
|---|---|---|
| committer | Oswaldo Ferreira <oswaldo@gitlab.com> | 2019-06-17 11:25:40 -0300 |
| commit | 44e1915d4f0e20cf445196ccc7e1d279c75ef0ce (patch) | |
| tree | 2619dcea9bf96af77023f8fb9a0b84cd5a8f69ee /app/controllers | |
| parent | e398409a74db7f3ca1c90d3b056b3a84ebb1b6cf (diff) | |
| download | gitlab-ce-44e1915d4f0e20cf445196ccc7e1d279c75ef0ce.tar.gz | |
Persist tmp snippet uploads
It persist temporary personal snippets under
user/:id namespaces temporarily while creating
a upload record to track it. If an user gets removed
while it's still a tmp upload, it also gets removed.
If the tmp upload is sent, the upload gets moved to
personal_snippets/:id as before. The upload record
also gets updated to the new model type as well.
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/snippets_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/uploads_controller.rb | 20 |
2 files changed, 17 insertions, 5 deletions
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index 8ea5450b4e8..fad036b8df8 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -137,7 +137,7 @@ class SnippetsController < ApplicationController def move_temporary_files params[:files].each do |file| - FileMover.new(file, @snippet).execute + FileMover.new(file, from_model: current_user, to_model: @snippet).execute end end end diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 5d28635232b..94bd18f70d4 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -41,7 +41,11 @@ class UploadsController < ApplicationController when Note can?(current_user, :read_project, model.project) when User - true + # We validate the current user has enough (writing) + # access to itself when a secret is given. + # For instance, user avatars are readable by anyone, + # while temporary, user snippet uploads are not. + !secret? || can?(current_user, :update_user, model) when Appearance true else @@ -56,9 +60,13 @@ class UploadsController < ApplicationController def authorize_create_access! return unless model - # for now we support only personal snippets comments. Only personal_snippet - # is allowed as a model to #create through routing. - authorized = can?(current_user, :create_note, model) + authorized = + case model + when User + can?(current_user, :update_user, model) + else + can?(current_user, :create_note, model) + end render_unauthorized unless authorized end @@ -75,6 +83,10 @@ class UploadsController < ApplicationController User === model || Appearance === model end + def secret? + params[:secret].present? + end + def upload_model_class MODEL_CLASSES[params[:model]] || raise(UnknownUploadModelError) end |