Merge branch 'fix_internal_snippets' into '7-4-stable'

Fix internal snippets See merge request !1216

Merge branch 'fix_internal_snippets' into '7-4-stable'
Fix internal snippets See merge request !1216
477743a1 · Jacob Vosmaer · 9712fbcd · 7f97a127 · 477743a1 · 477743a1
Commit 477743a1 authored Oct 24, 2014 by Jacob Vosmaer
Showing with 15 additions and 1 deletion

CHANGELOG CHANGELOG +5 -0

VERSION VERSION +1 -1

app/finders/snippets_finder.rb app/finders/snippets_finder.rb +2 -0

spec/finders/snippets_finder_spec.rb spec/finders/snippets_finder_spec.rb +7 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
+v 7.4.2
+  - Fix internal snippet exposing for unauthenticated users
+
 v 7.4.1
  - Fix LDAP authentication for Git HTTP access
  - Fix LDAP config lookup for provider 'ldap'
+  - Fix public snippets
+  - Fix 500 error on projects with nested submodules

 v 7.4.0
  - Refactored membership logic

--- a/VERSION
+++ b/VERSION
-7.4.1
+7.4.2
--- a/app/finders/snippets_finder.rb
+++ b/app/finders/snippets_finder.rb
@@ -29,6 +29,8 @@ class SnippetsFinder
  def by_user(current_user, user, scope)
    snippets = user.snippets.fresh.non_expired

+    return snippets.are_public unless current_user
+
    if user == current_user
      case scope
      when 'are_internal' then

--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -64,6 +64,13 @@ describe SnippetsFinder do
      snippets = SnippetsFinder.new.execute(user, filter: :by_user, user: user)
      snippets.should include(@snippet1, @snippet2, @snippet3)
    end
+
+    it "returns only public snippets if unauthenticated user" do
+      snippets = SnippetsFinder.new.execute(nil, filter: :by_user, user: user)
+      snippets.should include(@snippet3)
+      snippets.should_not include(@snippet2, @snippet1)
+    end
+
  end

  context 'by_project filter' do