gitlab-org--gitlab-foss/app/controllers/uploads_controller.rb

# frozen_string_literal: true

class UploadsController < ApplicationController
  include UploadsActions
  include WorkhorseRequest

  UnknownUploadModelError = Class.new(StandardError)

  MODEL_CLASSES = {
    "user"             => User,
    "project"          => Project,
    "note"             => Note,
    "group"            => Group,
    "appearance"       => Appearance,
    "personal_snippet" => PersonalSnippet,
    nil                => PersonalSnippet
  }.freeze

  rescue_from UnknownUploadModelError, with: :render_404

  skip_before_action :authenticate_user!
  before_action :upload_mount_satisfied?
  before_action :authorize_access!, only: [:show]
  before_action :authorize_create_access!, only: [:create, :authorize]
  before_action :verify_workhorse_api!, only: [:authorize]

  def uploader_class
    PersonalFileUploader
  end

  def find_model
    return unless params[:id]

    upload_model_class.find(params[:id])
  end

  def authorize_access!
    return unless model

    authorized =
      case model
      when Note
        can?(current_user, :read_project, model.project)
      when Snippet, ProjectSnippet
        can?(current_user, :read_snippet, model)
      when User
        # We validate the current user has enough (writing)
        # access to itself when a secret is given.
        # For instance, user avatars are readable by anyone,
        # while temporary, user snippet uploads are not.
        !secret? || can?(current_user, :update_user, model)
      when Appearance
        true
      else
        permission = "read_#{model.class.underscore}".to_sym

        can?(current_user, permission, model)
      end

    render_unauthorized unless authorized
  end

  def authorize_create_access!
    return unless model

    authorized =
      case model
      when User
        can?(current_user, :update_user, model)
      else
        can?(current_user, :create_note, model)
      end

    render_unauthorized unless authorized
  end

  def render_unauthorized
    if current_user || workhorse_authorize_request?
      render_404
    else
      authenticate_user!
    end
  end

  def cache_settings
    case model
    when User, Appearance
      [5.minutes, { public: true, must_revalidate: false }]
    when Project, Group
      [5.minutes, { private: true, must_revalidate: true }]
    end
  end

  def secret?
    params[:secret].present?
  end

  def upload_model_class
    MODEL_CLASSES[params[:model]] || raise(UnknownUploadModelError)
  end

  def upload_model_class_has_mounts?
    upload_model_class < CarrierWave::Mount::Extension
  end

  def upload_mount_satisfied?
    return true unless upload_model_class_has_mounts?

    upload_model_class.uploader_options.has_key?(upload_mount)
  end
end
Enable frozen string in app/controllers/*/.rb Enables frozen string for the following: * app/controllers/.rb app/controllers/admin/*/.rb * app/controllers/boards/*/.rb * app/controllers/ci/*/.rb * app/controllers/concerns/*/.rb Partially addresses #47424. 2018-09-14 05:42:05 +00:00			`# frozen_string_literal: true`

Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`class UploadsController < ApplicationController`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`include UploadsActions`
Add direct upload support for personal snippets 2019-07-09 18:51:42 +00:00			`include WorkhorseRequest`
Add brakeman rake task and improve code security 2015-03-03 02:11:50 +00:00
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`UnknownUploadModelError = Class.new(StandardError)`

			`MODEL_CLASSES = {`
			`"user" => User,`
			`"project" => Project,`
			`"note" => Note,`
			`"group" => Group,`
			`"appearance" => Appearance,`
			`"personal_snippet" => PersonalSnippet,`
			`nil => PersonalSnippet`
			`}.freeze`

			`rescue_from UnknownUploadModelError, with: :render_404`

Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`skip_before_action :authenticate_user!`
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`before_action :upload_mount_satisfied?`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`before_action :authorize_access!, only: [:show]`
Add direct upload support for personal snippets 2019-07-09 18:51:42 +00:00			`before_action :authorize_create_access!, only: [:create, :authorize]`
			`before_action :verify_workhorse_api!, only: [:authorize]`
Allow non authenticated access to avatars 2015-02-24 03:35:42 +00:00
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`def uploader_class`
			`PersonalFileUploader`
			`end`
Add brakeman rake task and improve code security 2015-03-03 02:11:50 +00:00
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`def find_model`
Adds the Rubocop ReturnNil cop This style change enforces `return if ...` instead of `return nil if ...` to save maintainers a few minor review points 2019-02-08 12:19:53 +00:00			`return unless params[:id]`
Support descriptions for snippets 2017-05-03 15:26:49 +00:00
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`upload_model_class.find(params[:id])`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`

			`def authorize_access!`
Adds the Rubocop ReturnNil cop This style change enforces `return if ...` instead of `return nil if ...` to save maintainers a few minor review points 2019-02-08 12:19:53 +00:00			`return unless model`
Support uploads for newly created personal snippets 2017-05-29 07:54:35 +00:00
Fixed the Rails/ActionFilter cop Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-04-16 12:03:37 +00:00			`authorized =`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`case model`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`when Note`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`can?(current_user, :read_project, model.project)`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 12:08:38 +00:00			`when Snippet, ProjectSnippet`
			`can?(current_user, :read_snippet, model)`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`when User`
Persist tmp snippet uploads It persist temporary personal snippets under user/:id namespaces temporarily while creating a upload record to track it. If an user gets removed while it's still a tmp upload, it also gets removed. If the tmp upload is sent, the upload gets moved to personal_snippets/:id as before. The upload record also gets updated to the new model type as well. 2019-06-04 23:50:57 +00:00			`# We validate the current user has enough (writing)`
			`# access to itself when a secret is given.`
			`# For instance, user avatars are readable by anyone,`
			`# while temporary, user snippet uploads are not.`
			`!secret? \|\| can?(current_user, :update_user, model)`
Fixes the 500 for custom apearance header logo and logo 2017-05-19 09:20:51 +00:00			`when Appearance`
			`true`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`else`
Optimise upload path calls String#underscore isn't particularly slow, but it's possible for us to call it many times in a users autocomplete request, with mostly-static values ('User', 'Group', etc.). We can memoise this and save a surprising amount of time (around 10% of the total request time in some cases). 2019-05-11 12:06:44 +00:00			`permission = "read_#{model.class.underscore}".to_sym`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00
			`can?(current_user, permission, model)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`

Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`render_unauthorized unless authorized`
			`end`

			`def authorize_create_access!`
Adds the Rubocop ReturnNil cop This style change enforces `return if ...` instead of `return nil if ...` to save maintainers a few minor review points 2019-02-08 12:19:53 +00:00			`return unless model`
Support descriptions for snippets 2017-05-03 15:26:49 +00:00
Persist tmp snippet uploads It persist temporary personal snippets under user/:id namespaces temporarily while creating a upload record to track it. If an user gets removed while it's still a tmp upload, it also gets removed. If the tmp upload is sent, the upload gets moved to personal_snippets/:id as before. The upload record also gets updated to the new model type as well. 2019-06-04 23:50:57 +00:00			`authorized =`
			`case model`
			`when User`
			`can?(current_user, :update_user, model)`
			`else`
			`can?(current_user, :create_note, model)`
			`end`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`render_unauthorized unless authorized`
			`end`

			`def render_unauthorized`
Add direct upload support for personal snippets 2019-07-09 18:51:42 +00:00			`if current_user \|\| workhorse_authorize_request?`
Only render 404 page from /public 2015-10-09 17:07:29 +00:00			`render_404`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`else`
			`authenticate_user!`
Allow non authenticated access to avatars 2015-02-24 03:35:42 +00:00			`end`
			`end`
Add brakeman rake task and improve code security 2015-03-03 02:11:50 +00:00
Add latest changes from gitlab-org/gitlab@master 2019-10-14 15:06:07 +00:00			`def cache_settings`
			`case model`
			`when User, Appearance`
			`[5.minutes, { public: true, must_revalidate: false }]`
			`when Project, Group`
			`[5.minutes, { private: true, must_revalidate: true }]`
			`end`
Changed the Caching of User Avatars to be public and to 5 minutes 2019-01-21 21:25:54 +00:00			`end`

Persist tmp snippet uploads It persist temporary personal snippets under user/:id namespaces temporarily while creating a upload record to track it. If an user gets removed while it's still a tmp upload, it also gets removed. If the tmp upload is sent, the upload gets moved to personal_snippets/:id as before. The upload record also gets updated to the new model type as well. 2019-06-04 23:50:57 +00:00			`def secret?`
			`params[:secret].present?`
			`end`

port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`def upload_model_class`
			`MODEL_CLASSES[params[:model]] \|\| raise(UnknownUploadModelError)`
Add brakeman rake task and improve code security 2015-03-03 02:11:50 +00:00			`end`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`def upload_model_class_has_mounts?`
			`upload_model_class < CarrierWave::Mount::Extension`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`end`

port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`def upload_mount_satisfied?`
			`return true unless upload_model_class_has_mounts?`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00
port of 594e6a0a625^..f74c90f68c6 2018-01-29 17:57:34 +00:00			`upload_model_class.uploader_options.has_key?(upload_mount)`
Support uploaders for personal snippets comments 2017-05-01 13:14:35 +00:00			`end`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`end`