gitlab-org--gitlab-foss/app/controllers/projects/snippets_controller.rb

class Projects::SnippetsController < Projects::ApplicationController
  include RendersNotes
  include ToggleAwardEmoji
  include SpammableActions
  include SnippetsActions
  include RendersBlob

  before_action :check_snippets_available!
  before_action :snippet, only: [:show, :edit, :destroy, :update, :raw, :toggle_award_emoji, :mark_as_spam]

  # Allow read any snippet
  before_action :authorize_read_project_snippet!, except: [:new, :create, :index]

  # Allow write(create) snippet
  before_action :authorize_create_project_snippet!, only: [:new, :create]

  # Allow modify snippet
  before_action :authorize_update_project_snippet!, only: [:edit, :update]

  # Allow destroy snippet
  before_action :authorize_admin_project_snippet!, only: [:destroy]

  respond_to :html

  def index
    @snippets = SnippetsFinder.new(
      current_user,
      project: @project,
      scope: params[:scope]
    ).execute
    @snippets = @snippets.page(params[:page])
    if @snippets.out_of_range? && @snippets.total_pages != 0
      redirect_to project_snippets_path(@project, page: @snippets.total_pages)
    end
  end

  def new
    @snippet = @noteable = @project.snippets.build
  end

  def create
    create_params = snippet_params.merge(spammable_params)

    @snippet = CreateSnippetService.new(@project, current_user, create_params).execute

    recaptcha_check_with_fallback { render :new }
  end

  def update
    update_params = snippet_params.merge(spammable_params)

    UpdateSnippetService.new(project, current_user, @snippet, update_params).execute

    recaptcha_check_with_fallback { render :edit }
  end

  def show
    blob = @snippet.blob
    conditionally_expand_blob(blob)

    respond_to do |format|
      format.html do
        @note = @project.notes.new(noteable: @snippet)
        @noteable = @snippet

        @discussions = @snippet.discussions
        @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)
        render 'show'
      end

      format.json do
        render_blob_json(blob)
      end
    end
  end

  def destroy
    return access_denied! unless can?(current_user, :admin_project_snippet, @snippet)

    @snippet.destroy

    redirect_to project_snippets_path(@project), status: 302
  end

  protected

  def snippet
    @snippet ||= @project.snippets.find(params[:id])
  end
  alias_method :awardable, :snippet
  alias_method :spammable, :snippet

  def spammable_path
    project_snippet_path(@project, @snippet)
  end

  def authorize_read_project_snippet!
    return render_404 unless can?(current_user, :read_project_snippet, @snippet)
  end

  def authorize_update_project_snippet!
    return render_404 unless can?(current_user, :update_project_snippet, @snippet)
  end

  def authorize_admin_project_snippet!
    return render_404 unless can?(current_user, :admin_project_snippet, @snippet)
  end

  def snippet_params
    params.require(:project_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)
  end
end
Project snippets moved to /projects 2013-03-23 15:13:51 -04:00			`class Projects::SnippetsController < Projects::ApplicationController`
Address review comments 2017-03-30 23:06:09 -04:00			`include RendersNotes`
Start Frontend work, fix routing problem 2016-09-04 04:51:12 -04:00			`include ToggleAwardEmoji`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`include SpammableActions`
Download snippets with LF line-endings by default 2017-02-06 10:04:00 -05:00			`include SnippetsActions`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`include RendersBlob`
Start Frontend work, fix routing problem 2016-09-04 04:51:12 -04:00
Use the new check_project_feature_available! method in project controllers 2017-06-20 07:13:04 -04:00			`before_action :check_snippets_available!`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`before_action :snippet, only: [:show, :edit, :destroy, :update, :raw, :toggle_award_emoji, :mark_as_spam]`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`# Allow read any snippet`
Ensure project snippets have their own access level 2016-03-25 13:51:17 -04:00			`before_action :authorize_read_project_snippet!, except: [:new, :create, :index]`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`# Allow write(create) snippet`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 10:44:21 -04:00			`before_action :authorize_create_project_snippet!, only: [:new, :create]`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`# Allow modify snippet`
Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 10:44:21 -04:00			`before_action :authorize_update_project_snippet!, only: [:edit, :update]`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`# Allow destroy snippet`
Fixed the Rails/ActionFilter cop Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-04-16 08:03:37 -04:00			`before_action :authorize_admin_project_snippet!, only: [:destroy]`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`respond_to :html`

			`def index`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`@snippets = SnippetsFinder.new(`
add scope filters to project snippets page 2016-12-07 17:35:53 -05:00			`current_user,`
			`project: @project,`
			`scope: params[:scope]`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`).execute`
adds specs for respective behaviour 2016-12-20 13:52:09 -05:00			`@snippets = @snippets.page(params[:page])`
			`if @snippets.out_of_range? && @snippets.total_pages != 0`
Create and use project path helpers that only need a project, no namespace 2017-06-29 13:06:35 -04:00			`redirect_to project_snippets_path(@project, page: @snippets.total_pages)`
adds specs for respective behaviour 2016-12-20 13:52:09 -05:00			`end`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`def new`
Fix autocomplete for new issues/MRs/snippets 2016-01-15 05:29:53 -05:00			`@snippet = @noteable = @project.snippets.build`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`def create`
Spam check and reCAPTCHA improvements 2017-02-14 14:07:11 -05:00			`create_params = snippet_params.merge(spammable_params)`

Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`@snippet = CreateSnippetService.new(@project, current_user, create_params).execute`
Fix 500 error when try to create project snippet without content Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-08-26 17:59:52 -04:00
Spam check and reCAPTCHA improvements 2017-02-14 14:07:11 -05:00			`recaptcha_check_with_fallback { render :new }`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`def update`
Spam check and reCAPTCHA improvements 2017-02-14 14:07:11 -05:00			`update_params = snippet_params.merge(spammable_params)`

			`UpdateSnippetService.new(project, current_user, @snippet, update_params).execute`

			`recaptcha_check_with_fallback { render :edit }`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`def show`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`blob = @snippet.blob`
Consistent diff and blob size limit names 2017-05-26 19:27:30 -04:00			`conditionally_expand_blob(blob)`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00
			`respond_to do \|format\|`
			`format.html do`
			`@note = @project.notes.new(noteable: @snippet)`
			`@noteable = @snippet`

			`@discussions = @snippet.discussions`
WIP: refactor the first-contributor to Issuable this will remove the need make N queries (per-note) at the cost of having to mark notes with an attribute this opens up the possibility for other special roles for notes 2017-07-29 11:04:42 -04:00			`@notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)`
Use blob viewers for snippets 2017-04-13 12:47:28 -04:00			`render 'show'`
			`end`

			`format.json do`
			`render_blob_json(blob)`
			`end`
			`end`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`def destroy`
Snippets feature refactored. Tests now use spinach 2013-03-24 14:31:14 -04:00			`return access_denied! unless can?(current_user, :admin_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 14:14:37 -04:00
			`@snippet.destroy`

Create and use project path helpers that only need a project, no namespace 2017-06-29 13:06:35 -04:00			`redirect_to project_snippets_path(@project), status: 302`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

			`protected`

			`def snippet`
			`@snippet \|\|= @project.snippets.find(params[:id])`
			`end`
Start Frontend work, fix routing problem 2016-09-04 04:51:12 -04:00			`alias_method :awardable, :snippet`
Check public snippets for spam Apply the same spam checks to public snippets (either personal snippets that are public, or public snippets on public projects) as to issues on public projects. 2017-02-01 13:15:59 -05:00			`alias_method :spammable, :snippet`
Private field added to snippet 2013-03-23 14:14:37 -04:00
Create and use project path helpers that only need a project, no namespace 2017-06-29 13:06:35 -04:00			`def spammable_path`
			`project_snippet_path(@project, @snippet)`
			`end`

Ensure private project snippets are not viewable by unauthorized people Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/14607. 2016-03-25 07:31:43 -04:00			`def authorize_read_project_snippet!`
			`return render_404 unless can?(current_user, :read_project_snippet, @snippet)`
			`end`

Update controller filters Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 10:44:21 -04:00			`def authorize_update_project_snippet!`
Rename abilities to correspond contoller/model action names write_ was renamed to create_ modify_ was renamed to update_ So now in update action we have next code def create can?(current_user, :create_issue, @issue) end def update can?(current_user, :update_issue, @issue) end Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-06-26 09:55:56 -04:00			`return render_404 unless can?(current_user, :update_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

Permissions for Project Snippet fixed 2013-03-25 06:22:14 -04:00			`def authorize_admin_project_snippet!`
Snippets feature refactored. Tests now use spinach 2013-03-24 14:31:14 -04:00			`return render_404 unless can?(current_user, :admin_project_snippet, @snippet)`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`

Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 11:51:11 -04:00			`def snippet_params`
Support descriptions for snippets 2017-05-03 11:26:49 -04:00			`params.require(:project_snippet).permit(:title, :content, :file_name, :private, :visibility_level, :description)`
Project hook, milestone, snippet strong params Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-26 11:51:11 -04:00			`end`
Private field added to snippet 2013-03-23 14:14:37 -04:00			`end`