ba377e91e1
Previously, if a user was a guest member of a private project, they could access the merge request template as we were not checking permission-levels of the user. When a issue template is asked for, the user must have :read_issue for the project; or :read_merge_request when a merge request template is asked for. We also now rescue_from FileNotFoundError and handle as 404. This is because RepoTemplateFinder can raise a FileNotFoundError exception, which Rails previously handled as a 500. Handling these in a way that is consistent with ActiveRecord::RecordNotFound exceptions, within controllers that inherit from Projects::ApplicationController at least, and returning a 404. https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
34 lines
986 B
Ruby
34 lines
986 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Projects::TemplatesController < Projects::ApplicationController
|
|
before_action :authenticate_user!
|
|
before_action :authorize_can_read_issuable!
|
|
before_action :get_template_class
|
|
|
|
def show
|
|
template = @template_type.find(params[:key], project)
|
|
|
|
respond_to do |format|
|
|
format.json { render json: template.to_json }
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
# User must have:
|
|
# - `read_merge_request` to see merge request templates, or
|
|
# - `read_issue` to see issue templates
|
|
#
|
|
# Note params[:template_type] has a route constraint to limit it to
|
|
# `merge_request` or `issue`
|
|
def authorize_can_read_issuable!
|
|
action = [:read_, params[:template_type]].join
|
|
|
|
authorize_action!(action)
|
|
end
|
|
|
|
def get_template_class
|
|
template_types = { issue: Gitlab::Template::IssueTemplate, merge_request: Gitlab::Template::MergeRequestTemplate }.with_indifferent_access
|
|
@template_type = template_types[params[:template_type]]
|
|
end
|
|
end
|