Commit d9ec830a authored by Sean McGivern's avatar Sean McGivern Committed by Bob Van Landuyt

Merge branch 'snippets_visibility' into 'security'

Fix snippets visibility for show action - external users can not see internal snippets

See merge request !2087
parent 9ae401cf
...@@ -103,20 +103,20 @@ class SnippetsController < ApplicationController ...@@ -103,20 +103,20 @@ class SnippetsController < ApplicationController
protected protected
def snippet def snippet
@snippet ||= if current_user @snippet ||= PersonalSnippet.find_by(id: params[:id])
PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
current_user.id,
[Snippet::PUBLIC, Snippet::INTERNAL]).
find(params[:id])
else
PersonalSnippet.find(params[:id])
end
end end
alias_method :awardable, :snippet alias_method :awardable, :snippet
alias_method :spammable, :snippet alias_method :spammable, :snippet
def authorize_read_snippet! def authorize_read_snippet!
authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet) return if can?(current_user, :read_personal_snippet, @snippet)
if current_user
render_404
else
authenticate_user!
end
end end
def authorize_update_snippet! def authorize_update_snippet!
......
---
title: Fix snippets visibility for show action - external users can not see internal snippets
merge_request:
author:
...@@ -132,7 +132,7 @@ describe SnippetsController do ...@@ -132,7 +132,7 @@ describe SnippetsController do
it 'responds with status 404' do it 'responds with status 404' do
get :show, id: 'doesntexist' get :show, id: 'doesntexist'
expect(response).to have_http_status(404) expect(response).to redirect_to(new_user_session_path)
end end
end end
end end
...@@ -478,10 +478,10 @@ describe SnippetsController do ...@@ -478,10 +478,10 @@ describe SnippetsController do
end end
context 'when not signed in' do context 'when not signed in' do
it 'responds with status 404' do it 'redirects to the sign in path' do
get :raw, id: 'doesntexist' get :raw, id: 'doesntexist'
expect(response).to have_http_status(404) expect(response).to redirect_to(new_user_session_path)
end end
end end
end end
......
require 'rails_helper'
feature 'Internal Snippets', feature: true, js: true do
let(:internal_snippet) { create(:personal_snippet, :internal) }
describe 'normal user' do
before do
login_as :user
end
scenario 'sees internal snippets' do
visit snippet_path(internal_snippet)
expect(page).to have_content(internal_snippet.content)
end
scenario 'sees raw internal snippets' do
visit raw_snippet_path(internal_snippet)
expect(page).to have_content(internal_snippet.content)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment