Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
d5267dfd
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
d5267dfd
编写于
4月 24, 2016
作者:
S
Stan Hu
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Prevent private snippets in public/internal projects from being leaked via API
Closes
https://gitlab.com/gitlab-org/gitlab-ce/issues/15580
上级
81cb636e
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
99 addition
and
7 deletion
+99
-7
app/finders/snippets_finder.rb
app/finders/snippets_finder.rb
+1
-1
lib/api/project_snippets.rb
lib/api/project_snippets.rb
+10
-5
spec/requests/api/project_snippets_spec.rb
spec/requests/api/project_snippets_spec.rb
+87
-0
spec/requests/api/projects_spec.rb
spec/requests/api/projects_spec.rb
+1
-1
未找到文件。
app/finders/snippets_finder.rb
浏览文件 @
d5267dfd
...
@@ -51,7 +51,7 @@ class SnippetsFinder
...
@@ -51,7 +51,7 @@ class SnippetsFinder
snippets
=
project
.
snippets
.
fresh
snippets
=
project
.
snippets
.
fresh
if
current_user
if
current_user
if
project
.
team
.
member?
(
current_user
.
id
)
if
project
.
team
.
member?
(
current_user
.
id
)
||
current_user
.
admin?
snippets
snippets
else
else
snippets
.
public_and_internal
snippets
.
public_and_internal
...
...
lib/api/project_snippets.rb
浏览文件 @
d5267dfd
...
@@ -11,6 +11,11 @@ module API
...
@@ -11,6 +11,11 @@ module API
end
end
not_found!
not_found!
end
end
def
snippets_for_current_user
finder_params
=
{
filter: :by_project
,
project:
user_project
}
SnippetsFinder
.
new
.
execute
(
current_user
,
finder_params
)
end
end
end
# Get a project snippets
# Get a project snippets
...
@@ -20,7 +25,7 @@ module API
...
@@ -20,7 +25,7 @@ module API
# Example Request:
# Example Request:
# GET /projects/:id/snippets
# GET /projects/:id/snippets
get
":id/snippets"
do
get
":id/snippets"
do
present
paginate
(
user_project
.
snippets
),
with:
Entities
::
ProjectSnippet
present
paginate
(
snippets_for_current_user
),
with:
Entities
::
ProjectSnippet
end
end
# Get a project snippet
# Get a project snippet
...
@@ -31,7 +36,7 @@ module API
...
@@ -31,7 +36,7 @@ module API
# Example Request:
# Example Request:
# GET /projects/:id/snippets/:snippet_id
# GET /projects/:id/snippets/:snippet_id
get
":id/snippets/:snippet_id"
do
get
":id/snippets/:snippet_id"
do
@snippet
=
user_project
.
snippets
.
find
(
params
[
:snippet_id
])
@snippet
=
snippets_for_current_user
.
find
(
params
[
:snippet_id
])
present
@snippet
,
with:
Entities
::
ProjectSnippet
present
@snippet
,
with:
Entities
::
ProjectSnippet
end
end
...
@@ -73,7 +78,7 @@ module API
...
@@ -73,7 +78,7 @@ module API
# Example Request:
# Example Request:
# PUT /projects/:id/snippets/:snippet_id
# PUT /projects/:id/snippets/:snippet_id
put
":id/snippets/:snippet_id"
do
put
":id/snippets/:snippet_id"
do
@snippet
=
user_project
.
snippets
.
find
(
params
[
:snippet_id
])
@snippet
=
snippets_for_current_user
.
find
(
params
[
:snippet_id
])
authorize!
:update_project_snippet
,
@snippet
authorize!
:update_project_snippet
,
@snippet
attrs
=
attributes_for_keys
[
:title
,
:file_name
,
:visibility_level
]
attrs
=
attributes_for_keys
[
:title
,
:file_name
,
:visibility_level
]
...
@@ -97,7 +102,7 @@ module API
...
@@ -97,7 +102,7 @@ module API
# DELETE /projects/:id/snippets/:snippet_id
# DELETE /projects/:id/snippets/:snippet_id
delete
":id/snippets/:snippet_id"
do
delete
":id/snippets/:snippet_id"
do
begin
begin
@snippet
=
user_project
.
snippets
.
find
(
params
[
:snippet_id
])
@snippet
=
snippets_for_current_user
.
find
(
params
[
:snippet_id
])
authorize!
:update_project_snippet
,
@snippet
authorize!
:update_project_snippet
,
@snippet
@snippet
.
destroy
@snippet
.
destroy
rescue
rescue
...
@@ -113,7 +118,7 @@ module API
...
@@ -113,7 +118,7 @@ module API
# Example Request:
# Example Request:
# GET /projects/:id/snippets/:snippet_id/raw
# GET /projects/:id/snippets/:snippet_id/raw
get
":id/snippets/:snippet_id/raw"
do
get
":id/snippets/:snippet_id/raw"
do
@snippet
=
user_project
.
snippets
.
find
(
params
[
:snippet_id
])
@snippet
=
snippets_for_current_user
.
find
(
params
[
:snippet_id
])
env
[
'api.format'
]
=
:txt
env
[
'api.format'
]
=
:txt
content_type
'text/plain'
content_type
'text/plain'
...
...
spec/requests/api/project_snippets_spec.rb
浏览文件 @
d5267dfd
...
@@ -15,4 +15,91 @@ describe API::API, api: true do
...
@@ -15,4 +15,91 @@ describe API::API, api: true do
expect
(
json_response
[
'expires_at'
]).
to
be_nil
expect
(
json_response
[
'expires_at'
]).
to
be_nil
end
end
end
end
describe
'GET /projects/:project_id/snippets/'
do
it
'all snippets available to team member'
do
project
=
create
(
:project
,
:public
)
user
=
create
(
:user
)
project
.
team
<<
[
user
,
:developer
]
public_snippet
=
create
(
:project_snippet
,
:public
,
project:
project
)
internal_snippet
=
create
(
:project_snippet
,
:internal
,
project:
project
)
private_snippet
=
create
(
:project_snippet
,
:private
,
project:
project
)
get
api
(
"/projects/
#{
project
.
id
}
/snippets/"
,
user
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
json_response
.
size
).
to
eq
(
3
)
expect
(
json_response
.
map
{
|
snippet
|
snippet
[
'id'
]}
).
to
include
(
public_snippet
.
id
,
internal_snippet
.
id
,
private_snippet
.
id
)
end
it
'hides private snippets from regular user'
do
project
=
create
(
:project
,
:public
)
user
=
create
(
:user
)
create
(
:project_snippet
,
:private
,
project:
project
)
get
api
(
"/projects/
#{
project
.
id
}
/snippets/"
,
user
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
json_response
.
size
).
to
eq
(
0
)
end
end
describe
'POST /projects/:project_id/snippets/'
do
it
'creates a new snippet'
do
admin
=
create
(
:admin
)
project
=
create
(
:project
)
params
=
{
title:
'Test Title'
,
file_name:
'test.rb'
,
code:
'puts "hello world"'
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PUBLIC
}
post
api
(
"/projects/
#{
project
.
id
}
/snippets/"
,
admin
),
params
expect
(
response
.
status
).
to
eq
(
201
)
snippet
=
ProjectSnippet
.
find
(
json_response
[
'id'
])
expect
(
snippet
.
content
).
to
eq
(
params
[
:code
])
expect
(
snippet
.
title
).
to
eq
(
params
[
:title
])
expect
(
snippet
.
file_name
).
to
eq
(
params
[
:file_name
])
expect
(
snippet
.
visibility_level
).
to
eq
(
params
[
:visibility_level
])
end
end
describe
'PUT /projects/:project_id/snippets/:id/'
do
it
'updates snippet'
do
admin
=
create
(
:admin
)
snippet
=
create
(
:project_snippet
,
author:
admin
)
new_content
=
'New content'
put
api
(
"/projects/
#{
snippet
.
project
.
id
}
/snippets/
#{
snippet
.
id
}
/"
,
admin
),
code:
new_content
expect
(
response
.
status
).
to
eq
(
200
)
snippet
.
reload
expect
(
snippet
.
content
).
to
eq
(
new_content
)
end
end
describe
'DELETE /projects/:project_id/snippets/:id/'
do
it
'deletes snippet'
do
admin
=
create
(
:admin
)
snippet
=
create
(
:project_snippet
,
author:
admin
)
delete
api
(
"/projects/
#{
snippet
.
project
.
id
}
/snippets/
#{
snippet
.
id
}
/"
,
admin
)
expect
(
response
.
status
).
to
eq
(
200
)
end
end
describe
'GET /projects/:project_id/snippets/:id/raw'
do
it
'returns raw text'
do
admin
=
create
(
:admin
)
snippet
=
create
(
:project_snippet
,
author:
admin
)
get
api
(
"/projects/
#{
snippet
.
project
.
id
}
/snippets/
#{
snippet
.
id
}
/raw"
,
admin
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
content_type
).
to
eq
'text/plain'
expect
(
response
.
body
).
to
eq
(
snippet
.
content
)
end
end
end
end
spec/requests/api/projects_spec.rb
浏览文件 @
d5267dfd
...
@@ -11,7 +11,7 @@ describe API::API, api: true do
...
@@ -11,7 +11,7 @@ describe API::API, api: true do
let
(
:project
)
{
create
(
:project
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project
)
{
create
(
:project
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project2
)
{
create
(
:project
,
path:
'project2'
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project2
)
{
create
(
:project
,
path:
'project2'
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project3
)
{
create
(
:project
,
path:
'project3'
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project3
)
{
create
(
:project
,
path:
'project3'
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:snippet
)
{
create
(
:project_snippet
,
author:
user
,
project:
project
,
title:
'example'
)
}
let
(
:snippet
)
{
create
(
:project_snippet
,
:public
,
author:
user
,
project:
project
,
title:
'example'
)
}
let
(
:project_member
)
{
create
(
:project_member
,
:master
,
user:
user
,
project:
project
)
}
let
(
:project_member
)
{
create
(
:project_member
,
:master
,
user:
user
,
project:
project
)
}
let
(
:project_member2
)
{
create
(
:project_member
,
:developer
,
user:
user3
,
project:
project
)
}
let
(
:project_member2
)
{
create
(
:project_member
,
:developer
,
user:
user3
,
project:
project
)
}
let
(
:user4
)
{
create
(
:user
)
}
let
(
:user4
)
{
create
(
:user
)
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录