gitlab-org--gitlab-foss/app/controllers/projects/snippets_controller.rb

# frozen_string_literal: true

class Projects::SnippetsController < Projects::ApplicationController
  include RendersNotes
  include ToggleAwardEmoji
  include SpammableActions
  include SnippetsActions
  include RendersBlob
  include Gitlab::NoteableMetadata

  skip_before_action :verify_authenticity_token,
    if: -> { action_name == 'show' && js_request? }

  before_action :check_snippets_available!
  before_action :snippet, only: [:show, :edit, :destroy, :update, :raw, :toggle_award_emoji, :mark_as_spam]

  # Allow read any snippet
  before_action :authorize_read_project_snippet!, except: [:new, :create, :index]

  # Allow write(create) snippet
  before_action :authorize_create_project_snippet!, only: [:new, :create]

  # Allow modify snippet
  before_action :authorize_update_project_snippet!, only: [:edit, :update]

  # Allow destroy snippet
  before_action :authorize_admin_project_snippet!, only: [:destroy]

  respond_to :html

  def index
    @snippets = SnippetsFinder.new(current_user, project: @project, scope: params[:scope])
      .execute
      .page(params[:page])
      .inc_author

    if @snippets.out_of_range? && @snippets.total_pages != 0
      return redirect_to project_snippets_path(@project, page: @snippets.total_pages)
    end

    @noteable_meta_data = noteable_meta_data(@snippets, 'Snippet')
  end

  def new
    @snippet = @noteable = @project.snippets.build
  end

  def create
    create_params = snippet_params.merge(spammable_params)

    @snippet = CreateSnippetService.new(@project, current_user, create_params).execute

    recaptcha_check_with_fallback { render :new }
  end

  def update
    update_params = snippet_params.merge(spammable_params)

    UpdateSnippetService.new(project, current_user, @snippet, update_params).execute

    recaptcha_check_with_fallback { render :edit }
  end

  def show
    blob = @snippet.blob
    conditionally_expand_blob(blob)

    respond_to do |format|
      format.html do
        @note = @project.notes.new(noteable: @snippet)
        @noteable = @snippet

        @discussions = @snippet.discussions
        @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)
        render 'show'
      end

      format.json do
        render_blob_json(blob)
      end

      format.js do
        if @snippet.embeddable?
          render 'shared/snippets/show'
        else
          head :not_found
        end
      end
    end
  end

  def destroy
    return access_denied! unless can?(current_user, :admin_project_snippet, @snippet)

    @snippet.destroy

    redirect_to project_snippets_path(@project), status: :found
  end

  protected

  def snippet
    @snippet ||= @project.snippets.inc_relations_for_view.find(params[:id])
  end
  alias_method :awardable, :snippet
  alias_method :spammable, :snippet

  def spammable_path
    project_snippet_path(@project, @snippet)
  end

  def authorize_read_project_snippet!
    return render_404 unless can?(current_user, :read_project_snippet, @snippet)
  end

  def authorize_update_project_snippet!
    return render_404 unless can?(current_user, :update_project_snippet, @snippet)
  end

  def authorize_admin_project_snippet!
    return render_404 unless can?(current_user, :admin_project_snippet, @snippet)
  end

  def snippet_params
    params.require(:project_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)
  end
end
Enable even more frozen string in app/controllers Enables frozen string for some vestigial files as well as the following: * app/controllers/projects/*/.rb * app/controllers/sherlock/*/.rb * app/controllers/snippets/*/.rb * app/controllers/users/*/.rb Partially addresses #47424. 2018-09-26 03:45:43 +00:00			`# frozen_string_literal: true`

Project snippets moved to /projects 2013-03-23 19:13:51 +00:00			`class Projects::SnippetsController < Projects::ApplicationController`
Address review comments 2017-03-31 03:06:09 +00:00			`include RendersNotes`
Start Frontend work, fix routing problem 2016-09-04 08:51:12 +00:00			`include ToggleAwardEmoji`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`include SpammableActions`
Download snippets with LF line-endings by default 2017-02-06 15:04:00 +00:00			`include SnippetsActions`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`include RendersBlob`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 11:12:20 +00:00			`include Gitlab::NoteableMetadata`
Start Frontend work, fix routing problem 2016-09-04 08:51:12 +00:00
Rewrite `if:` argument in before_action and alike when `only:` is also used Closes #55564 This is first discovered in #54739 (comment 122609857) that if both if: and only: are used in a before_action or after_action or alike, if: is completely ignored. 2019-02-27 07:41:14 +00:00			`skip_before_action :verify_authenticity_token,`
			`if: -> { action_name == 'show' && js_request? }`
embedded snippets support 2018-02-06 13:33:18 +00:00
Use the new check_project_feature_available! method in project controllers 2017-06-20 11:13:04 +00:00			`before_action :check_snippets_available!`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`before_action :snippet, only: [:show, :edit, :destroy, :update, :raw, :toggle_award_emoji, :mark_as_spam]`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`# Allow read any snippet`
Ensure project snippets have their own access level 2016-03-25 17:51:17 +00:00			`before_action :authorize_read_project_snippet!, except: [:new, :create, :index]`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`# Allow write(create) snippet`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 14:44:21 +00:00			`before_action :authorize_create_project_snippet!, only: [:new, :create]`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`# Allow modify snippet`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 14:44:21 +00:00			`before_action :authorize_update_project_snippet!, only: [:edit, :update]`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`# Allow destroy snippet`
Fixed the Rails/ActionFilter cop Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-04-16 12:03:37 +00:00			`before_action :authorize_admin_project_snippet!, only: [:destroy]`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`respond_to :html`

			`def index`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 11:12:20 +00:00			`@snippets = SnippetsFinder.new(current_user, project: @project, scope: params[:scope])`
			`.execute`
			`.page(params[:page])`
			`.inc_author`

adds specs for respective behaviour 2016-12-20 18:52:09 +00:00			`if @snippets.out_of_range? && @snippets.total_pages != 0`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 11:12:20 +00:00			`return redirect_to project_snippets_path(@project, page: @snippets.total_pages)`
adds specs for respective behaviour 2016-12-20 18:52:09 +00:00			`end`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 11:12:20 +00:00
			`@noteable_meta_data = noteable_meta_data(@snippets, 'Snippet')`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`def new`
Fix autocomplete for new issues/MRs/snippets 2016-01-15 10:29:53 +00:00			`@snippet = @noteable = @project.snippets.build`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`def create`
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`create_params = snippet_params.merge(spammable_params)`

Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`@snippet = CreateSnippetService.new(@project, current_user, create_params).execute`
Fix 500 error when try to create project snippet without content Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-08-26 21:59:52 +00:00
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`recaptcha_check_with_fallback { render :new }`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`def update`
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`update_params = snippet_params.merge(spammable_params)`

			`UpdateSnippetService.new(project, current_user, @snippet, update_params).execute`

			`recaptcha_check_with_fallback { render :edit }`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`def show`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`blob = @snippet.blob`
Consistent diff and blob size limit names 2017-05-26 23:27:30 +00:00			`conditionally_expand_blob(blob)`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00
			`respond_to do \|format\|`
			`format.html do`
			`@note = @project.notes.new(noteable: @snippet)`
			`@noteable = @snippet`

			`@discussions = @snippet.discussions`
WIP: refactor the first-contributor to Issuable this will remove the need make N queries (per-note) at the cost of having to mark notes with an attribute this opens up the possibility for other special roles for notes 2017-07-29 15:04:42 +00:00			`@notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`render 'show'`
			`end`

			`format.json do`
			`render_blob_json(blob)`
			`end`
Block private snippets from being embeddable 2018-12-11 06:32:25 +00:00
			`format.js do`
			`if @snippet.embeddable?`
			`render 'shared/snippets/show'`
			`else`
			`head :not_found`
			`end`
			`end`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`end`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`def destroy`
Snippets feature refactored. Tests now use spinach 2013-03-24 18:31:14 +00:00			`return access_denied! unless can?(current_user, :admin_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 18:14:37 +00:00
			`@snippet.destroy`

Updates from `rubocop -a` 2018-07-02 10:43:06 +00:00			`redirect_to project_snippets_path(@project), status: :found`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

			`protected`

			`def snippet`
Show the status of a user in interactions The status is shown for - The author of a commit when viewing a commit - Notes on a commit (regular/diff) - The user that triggered a pipeline when viewing a pipeline - The author of a merge request when viewing a merge request - The author of notes on a merge request (regular/diff) - The author of an issue when viewing an issue - The author of notes on an issue - The author of a snippet when viewing a snippet - The author of notes on a snippet - A user's profile page - The list of members of a group/user 2018-07-16 16:18:52 +00:00			`@snippet \|\|= @project.snippets.inc_relations_for_view.find(params[:id])`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`
Start Frontend work, fix routing problem 2016-09-04 08:51:12 +00:00			`alias_method :awardable, :snippet`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`alias_method :spammable, :snippet`
Private field added to snippet 2013-03-23 18:14:37 +00:00
Create and use project path helpers that only need a project, no namespace 2017-06-29 17:06:35 +00:00			`def spammable_path`
			`project_snippet_path(@project, @snippet)`
			`end`

Ensure private project snippets are not viewable by unauthorized people Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/14607. 2016-03-25 11:31:43 +00:00			`def authorize_read_project_snippet!`
			`return render_404 unless can?(current_user, :read_project_snippet, @snippet)`
			`end`

Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 14:44:21 +00:00			`def authorize_update_project_snippet!`
Rename abilities to correspond contoller/model action names write_ was renamed to create_ modify_ was renamed to update_ So now in update action we have next code def create can?(current_user, :create_issue, @issue) end def update can?(current_user, :update_issue, @issue) end Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 13:55:56 +00:00			`return render_404 unless can?(current_user, :update_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

Permissions for Project Snippet fixed 2013-03-25 10:22:14 +00:00			`def authorize_admin_project_snippet!`
Snippets feature refactored. Tests now use spinach 2013-03-24 18:31:14 +00:00			`return render_404 unless can?(current_user, :admin_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`

Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 15:51:11 +00:00			`def snippet_params`
Support descriptions for snippets 2017-05-03 15:26:49 +00:00			`params.require(:project_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)`
Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 15:51:11 +00:00			`end`
Private field added to snippet 2013-03-23 18:14:37 +00:00			`end`