Merge branch 'snippets_visibility' into 'security'
Fix snippets visibility for show action - external users can not see internal snippets See merge request !2087
This commit is contained in:
parent
9ae401cf91
commit
d9ec830a83
4 changed files with 39 additions and 12 deletions
|
@ -103,20 +103,20 @@ class SnippetsController < ApplicationController
|
|||
protected
|
||||
|
||||
def snippet
|
||||
@snippet ||= if current_user
|
||||
PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
|
||||
current_user.id,
|
||||
[Snippet::PUBLIC, Snippet::INTERNAL]).
|
||||
find(params[:id])
|
||||
else
|
||||
PersonalSnippet.find(params[:id])
|
||||
end
|
||||
@snippet ||= PersonalSnippet.find_by(id: params[:id])
|
||||
end
|
||||
|
||||
alias_method :awardable, :snippet
|
||||
alias_method :spammable, :snippet
|
||||
|
||||
def authorize_read_snippet!
|
||||
authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
|
||||
return if can?(current_user, :read_personal_snippet, @snippet)
|
||||
|
||||
if current_user
|
||||
render_404
|
||||
else
|
||||
authenticate_user!
|
||||
end
|
||||
end
|
||||
|
||||
def authorize_update_snippet!
|
||||
|
|
4
changelogs/unreleased/snippets_visibility.yml
Normal file
4
changelogs/unreleased/snippets_visibility.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Fix snippets visibility for show action - external users can not see internal snippets
|
||||
merge_request:
|
||||
author:
|
|
@ -132,7 +132,7 @@ describe SnippetsController do
|
|||
it 'responds with status 404' do
|
||||
get :show, id: 'doesntexist'
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
expect(response).to redirect_to(new_user_session_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -478,10 +478,10 @@ describe SnippetsController do
|
|||
end
|
||||
|
||||
context 'when not signed in' do
|
||||
it 'responds with status 404' do
|
||||
it 'redirects to the sign in path' do
|
||||
get :raw, id: 'doesntexist'
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
expect(response).to redirect_to(new_user_session_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
23
spec/features/snippets/internal_snippet_spec.rb
Normal file
23
spec/features/snippets/internal_snippet_spec.rb
Normal file
|
@ -0,0 +1,23 @@
|
|||
require 'rails_helper'
|
||||
|
||||
feature 'Internal Snippets', feature: true, js: true do
|
||||
let(:internal_snippet) { create(:personal_snippet, :internal) }
|
||||
|
||||
describe 'normal user' do
|
||||
before do
|
||||
login_as :user
|
||||
end
|
||||
|
||||
scenario 'sees internal snippets' do
|
||||
visit snippet_path(internal_snippet)
|
||||
|
||||
expect(page).to have_content(internal_snippet.content)
|
||||
end
|
||||
|
||||
scenario 'sees raw internal snippets' do
|
||||
visit raw_snippet_path(internal_snippet)
|
||||
|
||||
expect(page).to have_content(internal_snippet.content)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue