From 8f9b64c720d55ee40066d5a6b1017ab95dbd9781 Mon Sep 17 00:00:00 2001 From: Douglas Barbosa Alexandre Date: Wed, 22 Jun 2016 17:44:24 -0300 Subject: Fix internal snippets can be searched by anyone --- app/models/snippet.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index f8034cb5e6b..3a191cd91d0 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -135,7 +135,10 @@ class Snippet < ActiveRecord::Base end def accessible_to(user) - where('visibility_level IN (?) OR author_id = ?', [Snippet::INTERNAL, Snippet::PUBLIC], user) + visibility_levels = [Snippet::PUBLIC] + visibility_levels << Snippet::INTERNAL if user + + where('visibility_level IN (?) OR author_id = ?', visibility_levels, user) end end end -- cgit v1.2.1 From 256cd8e498edfcbb8199abfb2b54d2d2905f030e Mon Sep 17 00:00:00 2001 From: Douglas Barbosa Alexandre Date: Wed, 22 Jun 2016 19:29:40 -0300 Subject: Fix visibility of private project snippets for members when searching --- app/models/snippet.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 3a191cd91d0..51f6ae7b25c 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -135,10 +135,16 @@ class Snippet < ActiveRecord::Base end def accessible_to(user) - visibility_levels = [Snippet::PUBLIC] - visibility_levels << Snippet::INTERNAL if user - - where('visibility_level IN (?) OR author_id = ?', visibility_levels, user) + return are_public unless user.present? + return all if user.admin? + + where( + 'visibility_level IN (:visibility_levels) + OR author_id = :author_id + OR project_id IN (:project_ids)', + visibility_levels: [Snippet::PUBLIC, Snippet::INTERNAL], + author_id: user.id, + project_ids: user.authorized_projects.select(:id)) end end end -- cgit v1.2.1 From 5ff8371c5edac7d57c495e6fa8bb664361b8880f Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Thu, 16 Jun 2016 11:55:04 -0700 Subject: add an alias for Snippet#path --- app/models/snippet.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index f8034cb5e6b..40728d04574 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -20,6 +20,12 @@ class Snippet < ActiveRecord::Base length: { within: 0..255 }, format: { with: Gitlab::Regex.file_name_regex, message: Gitlab::Regex.file_name_regex_message } + + # [jneen] alias for compatibility with blobs and highlighting + def path + file_name + end + validates :content, presence: true validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values } -- cgit v1.2.1 From e7b512efa65aebe26cd0240a4d077475c42761c1 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Wed, 22 Jun 2016 11:50:58 -0700 Subject: move the path alias to a more appropriate location --- app/models/snippet.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'app/models/snippet.rb') diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 40728d04574..d18d1474855 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -21,11 +21,6 @@ class Snippet < ActiveRecord::Base format: { with: Gitlab::Regex.file_name_regex, message: Gitlab::Regex.file_name_regex_message } - # [jneen] alias for compatibility with blobs and highlighting - def path - file_name - end - validates :content, presence: true validates :visibility_level, inclusion: { in: Gitlab::VisibilityLevel.values } @@ -87,6 +82,11 @@ class Snippet < ActiveRecord::Base 0 end + # alias for compatibility with blobs and highlighting + def path + file_name + end + def name file_name end -- cgit v1.2.1