gitlab-org--gitlab-foss/app/controllers/snippets_controller.rb

# frozen_string_literal: true

class SnippetsController < ApplicationController
  include RendersNotes
  include ToggleAwardEmoji
  include SpammableActions
  include SnippetsActions
  include RendersBlob
  include PreviewMarkdown
  include PaginatedCollection
  include Gitlab::NoteableMetadata

  skip_before_action :verify_authenticity_token,
    if: -> { action_name == 'show' && js_request? }

  before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]

  before_action :authorize_create_snippet!, only: [:new, :create]
  before_action :authorize_read_snippet!, only: [:show, :raw]
  before_action :authorize_update_snippet!, only: [:edit, :update]
  before_action :authorize_admin_snippet!, only: [:destroy]

  skip_before_action :authenticate_user!, only: [:index, :show, :raw]

  layout 'snippets'
  respond_to :html

  def index
    if params[:username].present?
      @user = UserFinder.new(params[:username]).find_by_username!

      @snippets = SnippetsFinder.new(current_user, author: @user, scope: params[:scope])
        .execute
        .page(params[:page])
        .inc_author

      return if redirect_out_of_range(@snippets)

      @noteable_meta_data = noteable_meta_data(@snippets, 'Snippet')

      render 'index'
    else
      redirect_to(current_user ? dashboard_snippets_path : explore_snippets_path)
    end
  end

  def new
    @snippet = PersonalSnippet.new
  end

  def create
    create_params = snippet_params.merge(files: params.delete(:files))
    service_response = Snippets::CreateService.new(nil, current_user, create_params).execute
    @snippet = service_response.payload[:snippet]

    if service_response.error? && @snippet.errors[:repository].present?
      handle_repository_error(:new)
    else
      recaptcha_check_with_fallback { render :new }
    end
  end

  def update
    service_response = Snippets::UpdateService.new(nil, current_user, snippet_params).execute(@snippet)
    @snippet = service_response.payload[:snippet]

    handle_repository_error(:edit)
  end

  def show
    conditionally_expand_blob(blob)

    respond_to do |format|
      format.html do
        @note = Note.new(noteable: @snippet)
        @noteable = @snippet

        @discussions = @snippet.discussions
        @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)
        render 'show'
      end

      format.json do
        render_blob_json(blob)
      end

      format.js do
        if @snippet.embeddable?
          render 'shared/snippets/show'
        else
          head :not_found
        end
      end
    end
  end

  def destroy
    service_response = Snippets::DestroyService.new(current_user, @snippet).execute

    if service_response.success?
      redirect_to dashboard_snippets_path, status: :found
    elsif service_response.http_status == 403
      access_denied!
    else
      redirect_to snippet_path(@snippet),
                  status: :found,
                  alert: service_response.message
    end
  end

  protected

  # rubocop: disable CodeReuse/ActiveRecord
  def snippet
    @snippet ||= PersonalSnippet.inc_relations_for_view.find_by(id: params[:id])
  end
  # rubocop: enable CodeReuse/ActiveRecord

  alias_method :awardable, :snippet
  alias_method :spammable, :snippet

  def spammable_path
    snippet_path(@snippet)
  end

  def authorize_read_snippet!
    return if can?(current_user, :read_snippet, @snippet)

    if current_user
      render_404
    else
      authenticate_user!
    end
  end

  def authorize_update_snippet!
    return render_404 unless can?(current_user, :update_snippet, @snippet)
  end

  def authorize_admin_snippet!
    return render_404 unless can?(current_user, :admin_snippet, @snippet)
  end

  def authorize_create_snippet!
    return render_404 unless can?(current_user, :create_snippet)
  end

  def snippet_params
    params.require(:personal_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description).merge(spammable_params)
  end
end
Enable frozen string in app/controllers/*/.rb Enables frozen string for the following: * app/controllers/.rb app/controllers/admin/*/.rb * app/controllers/boards/*/.rb * app/controllers/ci/*/.rb * app/controllers/concerns/*/.rb Partially addresses #47424. 2018-09-14 01:42:05 -04:00			`# frozen_string_literal: true`

Personal snippets controlelr refactored 2013-03-24 18:17:03 -04:00			`class SnippetsController < ApplicationController`
Display comments for personal snippets 2017-04-27 06:41:26 -04:00			`include RendersNotes`
Snippets get award emoji! :thumbsup: 2016-06-03 05:44:04 -04:00			`include ToggleAwardEmoji`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`include SpammableActions`
Download snippets with LF line-endings by default 2017-02-06 10:04:00 -05:00			`include SnippetsActions`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`include RendersBlob`
Add support for markdown preview to group milestones 2017-10-11 05:03:19 -04:00			`include PreviewMarkdown`
Add controller concern for paginated collections We had similar code in a few places to redirect to the last page if the given page number is out of range. This unifies the handling in a new controller concern and adds usage of it in all snippet listings. 2019-09-03 13:45:00 -04:00			`include PaginatedCollection`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 07:12:20 -04:00			`include Gitlab::NoteableMetadata`
Snippets get award emoji! :thumbsup: 2016-06-03 05:44:04 -04:00
Rewrite `if:` argument in before_action and alike when `only:` is also used Closes #55564 This is first discovered in #54739 (comment 122609857) that if both if: and only: are used in a before_action or after_action or alike, if: is completely ignored. 2019-02-27 02:41:14 -05:00			`skip_before_action :verify_authenticity_token,`
			`if: -> { action_name == 'show' && js_request? }`
embedded snippets support 2018-02-06 08:33:18 -05:00
Add download button to project snippets 2017-04-30 13:15:20 -04:00			`before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]`
snippets are ready 2011-10-16 17:07:10 -04:00
Add latest changes from gitlab-org/gitlab@master 2019-11-29 16:06:13 -05:00			`before_action :authorize_create_snippet!, only: [:new, :create]`
Add download button to project snippets 2017-04-30 13:15:20 -04:00			`before_action :authorize_read_snippet!, only: [:show, :raw]`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 10:44:21 -04:00			`before_action :authorize_update_snippet!, only: [:edit, :update]`
Fixed the Rails/ActionFilter cop Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-04-16 08:03:37 -04:00			`before_action :authorize_admin_snippet!, only: [:destroy]`
snippets are ready 2011-10-16 17:07:10 -04:00
Add download button to project snippets 2017-04-30 13:15:20 -04:00			`skip_before_action :authenticate_user!, only: [:index, :show, :raw]`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00
Add helpers for header title and sidebar, and move setting those from controllers to layouts. 2015-05-01 04:39:11 -04:00			`layout 'snippets'`
snippets are ready 2011-10-16 17:07:10 -04:00			`respond_to :html`

user routings refactor 2016-05-08 04:27:33 -04:00			`def index`
			`if params[:username].present?`
Make getting a user by the username case insensitive 2018-10-18 05:06:44 -04:00			`@user = UserFinder.new(params[:username]).find_by_username!`
user routings refactor 2016-05-08 04:27:33 -04:00
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`@snippets = SnippetsFinder.new(current_user, author: @user, scope: params[:scope])`
Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 07:12:20 -04:00			`.execute`
			`.page(params[:page])`
			`.inc_author`

Add controller concern for paginated collections We had similar code in a few places to redirect to the last page if the given page number is out of range. This unifies the handling in a new controller concern and adds usage of it in all snippet listings. 2019-09-03 13:45:00 -04:00			`return if redirect_out_of_range(@snippets)`

Optimize queries for snippet listings - Avoid N+1 queries for authors and comment counts - Avoid an additional snippet existence query 2019-09-02 07:12:20 -04:00			`@noteable_meta_data = noteable_meta_data(@snippets, 'Snippet')`
user routings refactor 2016-05-08 04:27:33 -04:00
			`render 'index'`
			`else`
			`redirect_to(current_user ? dashboard_snippets_path : explore_snippets_path)`
			`end`
			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 09:46:25 -04:00			`def new`
Typos fixed 2013-03-25 12:32:10 -04:00			`@snippet = PersonalSnippet.new`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`

			`def create`
Add latest changes from gitlab-org/gitlab@master 2020-05-18 02:08:14 -04:00			`create_params = snippet_params.merge(files: params.delete(:files))`
Add latest changes from gitlab-org/gitlab@master 2020-01-16 19:09:00 -05:00			`service_response = Snippets::CreateService.new(nil, current_user, create_params).execute`
			`@snippet = service_response.payload[:snippet]`
snippets are ready 2011-10-16 17:07:10 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-05-13 17:08:55 -04:00			`if service_response.error? && @snippet.errors[:repository].present?`
			`handle_repository_error(:new)`
Add latest changes from gitlab-org/gitlab@master 2020-03-10 08:08:16 -04:00			`else`
			`recaptcha_check_with_fallback { render :new }`
			`end`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`

			`def update`
Add latest changes from gitlab-org/gitlab@master 2020-05-18 02:08:14 -04:00			`service_response = Snippets::UpdateService.new(nil, current_user, snippet_params).execute(@snippet)`
Add latest changes from gitlab-org/gitlab@master 2020-01-16 19:09:00 -05:00			`@snippet = service_response.payload[:snippet]`
Spam check and reCAPTCHA improvements 2017-02-14 14:07:11 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-05-13 17:08:55 -04:00			`handle_repository_error(:edit)`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`

			`def show`
Consistent diff and blob size limit names 2017-05-26 19:27:30 -04:00			`conditionally_expand_blob(blob)`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00
			`respond_to do \|format\|`
			`format.html do`
Add latest changes from gitlab-org/gitlab@master 2020-02-25 04:09:10 -05:00			`@note = Note.new(noteable: @snippet)`
			`@noteable = @snippet`

			`@discussions = @snippet.discussions`
			`@notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`render 'show'`
			`end`

			`format.json do`
			`render_blob_json(blob)`
			`end`
embedded snippets support 2018-02-06 08:33:18 -05:00
Block private snippets from being embeddable 2018-12-11 01:32:25 -05:00			`format.js do`
			`if @snippet.embeddable?`
			`render 'shared/snippets/show'`
			`else`
			`head :not_found`
			`end`
			`end`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`end`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`

			`def destroy`
Add latest changes from gitlab-org/gitlab@master 2020-01-16 19:09:00 -05:00			`service_response = Snippets::DestroyService.new(current_user, @snippet).execute`
snippets are ready 2011-10-16 17:07:10 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-01-16 19:09:00 -05:00			`if service_response.success?`
			`redirect_to dashboard_snippets_path, status: :found`
			`elsif service_response.http_status == 403`
			`access_denied!`
			`else`
			`redirect_to snippet_path(@snippet),`
			`status: :found,`
			`alert: service_response.message`
			`end`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`
Abilities refactoring 2011-12-15 16:57:46 -05:00
			`protected`
Styled snippets. Raw button for snippet 2012-06-12 14:41:46 -04:00
Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 11:31:01 -04:00			`# rubocop: disable CodeReuse/ActiveRecord`
Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`def snippet`
Show the status of a user in interactions The status is shown for - The author of a commit when viewing a commit - Notes on a commit (regular/diff) - The user that triggered a pipeline when viewing a pipeline - The author of a merge request when viewing a merge request - The author of notes on a merge request (regular/diff) - The author of an issue when viewing an issue - The author of notes on an issue - The author of a snippet when viewing a snippet - The author of notes on a snippet - A user's profile page - The list of members of a group/user 2018-07-16 12:18:52 -04:00			`@snippet \|\|= PersonalSnippet.inc_relations_for_view.find_by(id: params[:id])`
Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`end`
Disable existing offenses for the CodeReuse cops This whitelists all existing offenses for the various CodeReuse cops, of which most are triggered by the CodeReuse/ActiveRecord cop. 2018-08-27 11:31:01 -04:00			`# rubocop: enable CodeReuse/ActiveRecord`
Merge branch 'snippets_visibility' into 'security' Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087 2017-04-25 10:41:26 -04:00
Snippets get award emoji! :thumbsup: 2016-06-03 05:44:04 -04:00			`alias_method :awardable, :snippet`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`alias_method :spammable, :snippet`
Abilities refactoring 2011-12-15 16:57:46 -05:00
Create and use project path helpers that only need a project, no namespace 2017-06-29 13:06:35 -04:00			`def spammable_path`
			`snippet_path(@snippet)`
			`end`

Use `read` rather than `show` like the ability name 2015-11-02 11:03:42 -05:00			`def authorize_read_snippet!`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`return if can?(current_user, :read_snippet, @snippet)`
Merge branch 'snippets_visibility' into 'security' Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087 2017-04-25 10:41:26 -04:00
			`if current_user`
			`render_404`
			`else`
			`authenticate_user!`
			`end`
Improve personal snippet access workflow. Fixes #3258 2015-10-29 16:42:29 -04:00			`end`

Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 10:44:21 -04:00			`def authorize_update_snippet!`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`return render_404 unless can?(current_user, :update_snippet, @snippet)`
Abilities refactoring 2011-12-15 16:57:46 -05:00			`end`

			`def authorize_admin_snippet!`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`return render_404 unless can?(current_user, :admin_snippet, @snippet)`
Move snippets to own tab as feature. Make it disabled for new projects by default 2013-03-18 17:33:41 -04:00			`end`
Use navless layout for snippets page 2013-06-18 10:43:49 -04:00
Add latest changes from gitlab-org/gitlab@master 2019-11-29 16:06:13 -05:00			`def authorize_create_snippet!`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`return render_404 unless can?(current_user, :create_snippet)`
Add latest changes from gitlab-org/gitlab@master 2019-11-29 16:06:13 -05:00			`end`

Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 11:51:11 -04:00			`def snippet_params`
Add latest changes from gitlab-org/gitlab@master 2020-05-18 02:08:14 -04:00			`params.require(:personal_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description).merge(spammable_params)`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00			`end`
snippets are ready 2011-10-16 17:07:10 -04:00			`end`