From c8fe42151291593f0f43509a70235c46fce169a1 Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Thu, 29 Oct 2015 18:42:29 -0200
Subject: Improve personal snippet access workflow. Fixes #3258

---
 app/controllers/snippets_controller.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'app/controllers/snippets_controller.rb')

diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 9f9f9a92f11..8498efc89d0 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -1,6 +1,9 @@
 class SnippetsController < ApplicationController
   before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]
 
+  # Allow read snippet
+  before_action :authorize_show_snippet!, only: [:show]
+
   # Allow modify snippet
   before_action :authorize_update_snippet!, only: [:edit, :update]
 
@@ -79,10 +82,14 @@ class SnippetsController < ApplicationController
                      [Snippet::PUBLIC, Snippet::INTERNAL]).
                      find(params[:id])
                  else
-                   PersonalSnippet.are_public.find(params[:id])
+                   PersonalSnippet.find(params[:id])
                  end
   end
 
+  def authorize_show_snippet!
+    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+  end
+
   def authorize_update_snippet!
     return render_404 unless can?(current_user, :update_personal_snippet, @snippet)
   end
-- 
cgit v1.2.1