Commit 4621fa2b authored by Sean McGivern's avatar Sean McGivern Committed by Lin Jen-Shin

Merge branch 'snippets_visibility' into 'security'

Fix snippets visibility for show action - external users can not see internal snippets

See merge request !2087
parent ecbd9da8
......@@ -90,20 +90,20 @@ class SnippetsController < ApplicationController
protected
def snippet
@snippet ||= if current_user
PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
current_user.id,
[Snippet::PUBLIC, Snippet::INTERNAL]).
find(params[:id])
else
PersonalSnippet.find(params[:id])
end
@snippet ||= PersonalSnippet.find_by(id: params[:id])
end
alias_method :awardable, :snippet
alias_method :spammable, :snippet
def authorize_read_snippet!
authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
return if can?(current_user, :read_personal_snippet, @snippet)
if current_user
render_404
else
authenticate_user!
end
end
def authorize_update_snippet!
......
---
title: Fix snippets visibility for show action - external users can not see internal snippets
merge_request:
author:
require 'rails_helper'
feature 'Internal Snippets', feature: true do
let(:internal_snippet) { create(:personal_snippet, :internal) }
describe 'normal user' do
before do
login_as :user
end
scenario 'sees internal snippets' do
visit snippet_path(internal_snippet)
expect(page).to have_content(internal_snippet.content)
end
scenario 'sees raw internal snippets' do
visit raw_snippet_path(internal_snippet)
expect(page).to have_content(internal_snippet.content)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment