Skip to content

G
gitlab-foss

李少辉-开发者 / gitlab-foss

通知 15
Star 0
Fork 0
G
gitlab-foss

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
uploads_controller.rb 2.0 KB
Newer Older
D
Use controllers to serve uploads, with XSS prevention and access control.  
Douwe Maan 已提交
1 
class UploadsController < ApplicationController
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
2 
  include UploadsActions
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
3
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
4 5 6 7 
  skip_before_action :authenticate_user!
  before_action :find_model
  before_action :authorize_access!, only: [:show]
  before_action :authorize_create_access!, only: [:create]
D
Allow non authenticated access to avatars  
Dmitriy Zaporozhets 已提交
8
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
9 10 
  private
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
11 
  def find_model
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
12 
    return render_404 unless upload_model && upload_mount
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
13 14 15 16 17 

    @model = upload_model.find(params[:id])
  end

  def authorize_access!
J
Fixed the Rails/ActionFilter cop  
Jeroen van Baarsen 已提交
18 
    authorized =
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
19 
      case model
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
20 
      when Note
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
21 22 
        can?(current_user, :read_project, model.project)
      when User
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
23 
        true
A
Fixes the 500 for custom apearance header logo and logo  
Alexis Reigel 已提交
24 25 
      when Appearance
        true
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
26 27 28 29 
      else
        permission = "read_#{model.class.to_s.underscore}".to_sym

        can?(current_user, permission, model)
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
30 31 
      end
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
32 33 34 35 36 37 
    render_unauthorized unless authorized
  end

  def authorize_create_access!
    # for now we support only personal snippets comments
    authorized = can?(current_user, :comment_personal_snippet, model)
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
38
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
39 40 41 42 
    render_unauthorized unless authorized
  end

  def render_unauthorized
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
43 
    if current_user
V
Only render 404 page from /public  
Valery Sizov 已提交
44 
      render_404
D
Reject access to group/project avatar if the user doesn't have access.  
Douwe Maan 已提交
45 46 
    else
      authenticate_user!
D
Allow non authenticated access to avatars  
Dmitriy Zaporozhets 已提交
47 48 
    end
  end
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
49 50 51 

  def upload_model
    upload_models = {
D
Don't symbolize params.  
Douwe Maan 已提交
52 53 54 
      "user"    => User,
      "project" => Project,
      "note"    => Note,
Z
Branded login page also in CE  
Zeger-Jan van de Weg 已提交
55 
      "group"   => Group,
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
56 57 
      "appearance" => Appearance,
      "personal_snippet" => PersonalSnippet
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
58 59 
    }
D
Don't symbolize params.  
Douwe Maan 已提交
60 
    upload_models[params[:model]]
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
61 62 63 
  end

  def upload_mount
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
64 65 
    return true unless params[:mounted_as]
Z
Branded login page also in CE  
Zeger-Jan van de Weg 已提交
66 
    upload_mounts = %w(avatar attachment file logo header_logo)
D
Add brakeman rake task and improve code security  
Dmitriy Zaporozhets 已提交
67 68 69 70 71 

    if upload_mounts.include?(params[:mounted_as])
      params[:mounted_as]
    end
  end
J
Support uploaders for personal snippets comments  
Jarka Kadlecova 已提交
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 

  def uploader
    return @uploader if defined?(@uploader)

    if model.is_a?(PersonalSnippet)
      @uploader = PersonalFileUploader.new(model, params[:secret])

      @uploader.retrieve_from_store!(params[:filename])
    else
      @uploader = @model.send(upload_mount)

      redirect_to @uploader.url unless @uploader.file_storage?
    end

    @uploader
  end

  def uploader_class
    PersonalFileUploader
  end

  def model
    @model ||= find_model
  end
D
Use controllers to serve uploads, with XSS prevention and access control.  
Douwe Maan 已提交
96 
end