From 00ca490259de684f4240de4f61728b8eaefbb13e Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 20 Feb 2015 13:13:48 +0100
Subject: Use controllers to serve uploads, with XSS prevention and access
 control.

---
 app/controllers/uploads_controller.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 app/controllers/uploads_controller.rb

(limited to 'app/controllers/uploads_controller.rb')

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
new file mode 100644
index 00000000000..d5877977258
--- /dev/null
+++ b/app/controllers/uploads_controller.rb
@@ -0,0 +1,17 @@
+class UploadsController < ApplicationController
+  def show
+    model = params[:model].camelize.constantize.find(params[:id])
+    uploader = model.send(params[:mounted_as])
+
+    if uploader.file_storage?
+      if !model.respond_to?(:project) || can?(current_user, :read_project, model.project)
+        disposition = uploader.image? ? 'inline' : 'attachment'
+        send_file uploader.file.path, disposition: disposition
+      else
+        not_found!
+      end
+    else
+      redirect_to uploader.url
+    end
+  end
+end
-- 
cgit v1.2.1


From 897a2de54c1d5cbead4589d44a3d173c14849f23 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 23 Feb 2015 19:35:42 -0800
Subject: Allow non authenticated access to avatars

---
 app/controllers/uploads_controller.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'app/controllers/uploads_controller.rb')

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index d5877977258..73b124bb34c 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -1,4 +1,7 @@
 class UploadsController < ApplicationController
+  skip_before_filter :authenticate_user!, :reject_blocked
+  before_filter :authorize_access
+
   def show
     model = params[:model].camelize.constantize.find(params[:id])
     uploader = model.send(params[:mounted_as])
@@ -14,4 +17,10 @@ class UploadsController < ApplicationController
       redirect_to uploader.url
     end
   end
+
+  def authorize_access
+    unless params[:mounted_as] == 'avatar'
+      authenticate_user! && reject_blocked
+    end
+  end
 end
-- 
cgit v1.2.1