gitlab-org--gitlab-foss/app/controllers/snippets_controller.rb

# frozen_string_literal: true

class SnippetsController < ApplicationController
  include RendersNotes
  include ToggleAwardEmoji
  include SpammableActions
  include SnippetsActions
  include RendersBlob
  include PreviewMarkdown

  skip_before_action :verify_authenticity_token, only: [:show], if: :js_request?

  before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]

  # Allow read snippet
  before_action :authorize_read_snippet!, only: [:show, :raw]

  # Allow modify snippet
  before_action :authorize_update_snippet!, only: [:edit, :update]

  # Allow destroy snippet
  before_action :authorize_admin_snippet!, only: [:destroy]

  skip_before_action :authenticate_user!, only: [:index, :show, :raw]

  layout 'snippets'
  respond_to :html

  # rubocop: disable CodeReuse/ActiveRecord
  def index
    if params[:username].present?
      @user = User.find_by(username: params[:username])

      return render_404 unless @user

      @snippets = SnippetsFinder.new(current_user, author: @user, scope: params[:scope])
        .execute.page(params[:page])

      render 'index'
    else
      redirect_to(current_user ? dashboard_snippets_path : explore_snippets_path)
    end
  end
  # rubocop: enable CodeReuse/ActiveRecord

  def new
    @snippet = PersonalSnippet.new
  end

  def create
    create_params = snippet_params.merge(spammable_params)

    @snippet = CreateSnippetService.new(nil, current_user, create_params).execute

    move_temporary_files if @snippet.valid? && params[:files]

    recaptcha_check_with_fallback { render :new }
  end

  def update
    update_params = snippet_params.merge(spammable_params)

    UpdateSnippetService.new(nil, current_user, @snippet, update_params).execute

    recaptcha_check_with_fallback { render :edit }
  end

  def show
    blob = @snippet.blob
    conditionally_expand_blob(blob)

    @note = Note.new(noteable: @snippet)
    @noteable = @snippet

    @discussions = @snippet.discussions
    @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)

    respond_to do |format|
      format.html do
        render 'show'
      end

      format.json do
        render_blob_json(blob)
      end

      format.js { render 'shared/snippets/show' }
    end
  end

  def destroy
    return access_denied! unless can?(current_user, :admin_personal_snippet, @snippet)

    @snippet.destroy

    redirect_to snippets_path, status: :found
  end

  protected

  # rubocop: disable CodeReuse/ActiveRecord
  def snippet
    @snippet ||= PersonalSnippet.inc_relations_for_view.find_by(id: params[:id])
  end
  # rubocop: enable CodeReuse/ActiveRecord

  alias_method :awardable, :snippet
  alias_method :spammable, :snippet

  def spammable_path
    snippet_path(@snippet)
  end

  def authorize_read_snippet!
    return if can?(current_user, :read_personal_snippet, @snippet)

    if current_user
      render_404
    else
      authenticate_user!
    end
  end

  def authorize_update_snippet!
    return render_404 unless can?(current_user, :update_personal_snippet, @snippet)
  end

  def authorize_admin_snippet!
    return render_404 unless can?(current_user, :admin_personal_snippet, @snippet)
  end

  def snippet_params
    params.require(:personal_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)
  end

  def move_temporary_files
    params[:files].each do |file|
      FileMover.new(file, @snippet).execute
    end
  end
end
Enable frozen string in app/controllers/*/.rb Enables frozen string for the following: * app/controllers/.rb app/controllers/admin/*/.rb * app/controllers/boards/*/.rb * app/controllers/ci/*/.rb * app/controllers/concerns/*/.rb Partially addresses #47424. 2018-09-14 05:42:05 +00:00			`# frozen_string_literal: true`

Personal snippets controlelr refactored 2013-03-24 22:17:03 +00:00			`class SnippetsController < ApplicationController`
Display comments for personal snippets 2017-04-27 10:41:26 +00:00			`include RendersNotes`
Snippets get award emoji! :thumbsup: 2016-06-03 09:44:04 +00:00			`include ToggleAwardEmoji`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`include SpammableActions`
Download snippets with LF line-endings by default 2017-02-06 15:04:00 +00:00			`include SnippetsActions`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`include RendersBlob`
Add support for markdown preview to group milestones 2017-10-11 09:03:19 +00:00			`include PreviewMarkdown`
Snippets get award emoji! :thumbsup: 2016-06-03 09:44:04 +00:00
embedded snippets support 2018-02-06 13:33:18 +00:00			`skip_before_action :verify_authenticity_token, only: [:show], if: :js_request?`

Add download button to project snippets 2017-04-30 17:15:20 +00:00			`before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]`
snippets are ready 2011-10-16 21:07:10 +00:00
Improve personal snippet access workflow. Fixes #3258 2015-10-29 20:42:29 +00:00			`# Allow read snippet`
Add download button to project snippets 2017-04-30 17:15:20 +00:00			`before_action :authorize_read_snippet!, only: [:show, :raw]`
Improve personal snippet access workflow. Fixes #3258 2015-10-29 20:42:29 +00:00
Abilities refactoring 2011-12-15 21:57:46 +00:00			`# Allow modify snippet`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 14:44:21 +00:00			`before_action :authorize_update_snippet!, only: [:edit, :update]`
Use navless layout for snippets page 2013-06-18 14:43:49 +00:00
Abilities refactoring 2011-12-15 21:57:46 +00:00			`# Allow destroy snippet`
Fixed the Rails/ActionFilter cop Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-04-16 12:03:37 +00:00			`before_action :authorize_admin_snippet!, only: [:destroy]`
snippets are ready 2011-10-16 21:07:10 +00:00
Add download button to project snippets 2017-04-30 17:15:20 +00:00			`skip_before_action :authenticate_user!, only: [:index, :show, :raw]`
Snippets: public/internal/private 2014-10-08 13:44:25 +00:00
Add helpers for header title and sidebar, and move setting those from controllers to layouts. 2015-05-01 08:39:11 +00:00			`layout 'snippets'`
snippets are ready 2011-10-16 21:07:10 +00:00			`respond_to :html`

Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 15:31:01 +00:00			`# rubocop: disable CodeReuse/ActiveRecord`
user routings refactor 2016-05-08 08:27:33 +00:00			`def index`
			`if params[:username].present?`
			`@user = User.find_by(username: params[:username])`

No more and/or 2017-02-21 22:31:14 +00:00			`return render_404 unless @user`
user routings refactor 2016-05-08 08:27:33 +00:00
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 22:06:27 +00:00			`@snippets = SnippetsFinder.new(current_user, author: @user, scope: params[:scope])`
			`.execute.page(params[:page])`
user routings refactor 2016-05-08 08:27:33 +00:00
			`render 'index'`
			`else`
			`redirect_to(current_user ? dashboard_snippets_path : explore_snippets_path)`
			`end`
			`end`
Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 15:31:01 +00:00			`# rubocop: enable CodeReuse/ActiveRecord`
user routings refactor 2016-05-08 08:27:33 +00:00
clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 13:46:25 +00:00			`def new`
Typos fixed 2013-03-25 16:32:10 +00:00			`@snippet = PersonalSnippet.new`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`

			`def create`
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`create_params = snippet_params.merge(spammable_params)`

Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`@snippet = CreateSnippetService.new(nil, current_user, create_params).execute`
snippets are ready 2011-10-16 21:07:10 +00:00
Support uploads for newly created personal snippets 2017-05-29 07:54:35 +00:00			`move_temporary_files if @snippet.valid? && params[:files]`
Support descriptions for snippets 2017-05-03 15:26:49 +00:00
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`recaptcha_check_with_fallback { render :new }`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`

			`def update`
Spam check and reCAPTCHA improvements 2017-02-14 19:07:11 +00:00			`update_params = snippet_params.merge(spammable_params)`

			`UpdateSnippetService.new(nil, current_user, @snippet, update_params).execute`

			`recaptcha_check_with_fallback { render :edit }`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`

			`def show`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`blob = @snippet.blob`
Consistent diff and blob size limit names 2017-05-26 23:27:30 +00:00			`conditionally_expand_blob(blob)`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00
Support comments for personal snippets 2017-05-03 08:48:01 +00:00			`@note = Note.new(noteable: @snippet)`
Display comments for personal snippets 2017-04-27 10:41:26 +00:00			`@noteable = @snippet`

			`@discussions = @snippet.discussions`
WIP: refactor the first-contributor to Issuable this will remove the need make N queries (per-note) at the cost of having to mark notes with an attribute this opens up the possibility for other special roles for notes 2017-07-29 15:04:42 +00:00			`@notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)`
Display comments for personal snippets 2017-04-27 10:41:26 +00:00
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`respond_to do \|format\|`
			`format.html do`
			`render 'show'`
			`end`

			`format.json do`
			`render_blob_json(blob)`
			`end`
embedded snippets support 2018-02-06 13:33:18 +00:00
			`format.js { render 'shared/snippets/show' }`
Use blob viewers for snippets 2017-04-13 16:47:28 +00:00			`end`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`

			`def destroy`
Personal snippets controlelr refactored 2013-03-24 22:17:03 +00:00			`return access_denied! unless can?(current_user, :admin_personal_snippet, @snippet)`
snippets are ready 2011-10-16 21:07:10 +00:00
			`@snippet.destroy`

Updates from `rubocop -a` 2018-07-02 10:43:06 +00:00			`redirect_to snippets_path, status: :found`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`
Abilities refactoring 2011-12-15 21:57:46 +00:00
			`protected`
Styled snippets. Raw button for snippet 2012-06-12 18:41:46 +00:00
Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 15:31:01 +00:00			`# rubocop: disable CodeReuse/ActiveRecord`
Abilities extended. Resources security improved 2012-02-21 22:31:18 +00:00			`def snippet`
Show the status of a user in interactions The status is shown for - The author of a commit when viewing a commit - Notes on a commit (regular/diff) - The user that triggered a pipeline when viewing a pipeline - The author of a merge request when viewing a merge request - The author of notes on a merge request (regular/diff) - The author of an issue when viewing an issue - The author of notes on an issue - The author of a snippet when viewing a snippet - The author of notes on a snippet - A user's profile page - The list of members of a group/user 2018-07-16 16:18:52 +00:00			`@snippet \|\|= PersonalSnippet.inc_relations_for_view.find_by(id: params[:id])`
Abilities extended. Resources security improved 2012-02-21 22:31:18 +00:00			`end`
Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 15:31:01 +00:00			`# rubocop: enable CodeReuse/ActiveRecord`
Merge branch 'snippets_visibility' into 'security' Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087 2017-04-25 14:41:26 +00:00
Snippets get award emoji! :thumbsup: 2016-06-03 09:44:04 +00:00			`alias_method :awardable, :snippet`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 18:15:59 +00:00			`alias_method :spammable, :snippet`
Abilities refactoring 2011-12-15 21:57:46 +00:00
Create and use project path helpers that only need a project, no namespace 2017-06-29 17:06:35 +00:00			`def spammable_path`
			`snippet_path(@snippet)`
			`end`

Use `read` rather than `show` like the ability name 2015-11-02 16:03:42 +00:00			`def authorize_read_snippet!`
Merge branch 'snippets_visibility' into 'security' Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087 2017-04-25 14:41:26 +00:00			`return if can?(current_user, :read_personal_snippet, @snippet)`

			`if current_user`
			`render_404`
			`else`
			`authenticate_user!`
			`end`
Improve personal snippet access workflow. Fixes #3258 2015-10-29 20:42:29 +00:00			`end`

Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 14:44:21 +00:00			`def authorize_update_snippet!`
Rename abilities to correspond contoller/model action names write_ was renamed to create_ modify_ was renamed to update_ So now in update action we have next code def create can?(current_user, :create_issue, @issue) end def update can?(current_user, :update_issue, @issue) end Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 13:55:56 +00:00			`return render_404 unless can?(current_user, :update_personal_snippet, @snippet)`
Abilities refactoring 2011-12-15 21:57:46 +00:00			`end`

			`def authorize_admin_snippet!`
Personal snippets controlelr refactored 2013-03-24 22:17:03 +00:00			`return render_404 unless can?(current_user, :admin_personal_snippet, @snippet)`
Move snippets to own tab as feature. Make it disabled for new projects by default 2013-03-18 21:33:41 +00:00			`end`
Use navless layout for snippets page 2013-06-18 14:43:49 +00:00
Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 15:51:11 +00:00			`def snippet_params`
Support descriptions for snippets 2017-05-03 15:26:49 +00:00			`params.require(:personal_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)`
			`end`

			`def move_temporary_files`
			`params[:files].each do \|file\|`
			`FileMover.new(file, @snippet).execute`
			`end`
Snippets: public/internal/private 2014-10-08 13:44:25 +00:00			`end`
snippets are ready 2011-10-16 21:07:10 +00:00			`end`