From 2491a8711aac55f73e101365854b3060cab8be1e Mon Sep 17 00:00:00 2001
From: Alexis Reigel <mail@koffeinfrei.org>
Date: Thu, 18 May 2017 14:47:18 +0200
Subject: [PATCH 1/2] allow public access to appearance images
the custom logo and header logo was rendered unauthorized due to the
change in 43ff7386411af0f538710f3627622f71e5e34472 ("Support uploaders
for personal snippets comments")
---
app/controllers/uploads_controller.rb | 2 ++
spec/controllers/uploads_controller_spec.rb | 40 +++++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 21a964fb391..eef53730291 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -21,6 +21,8 @@ class UploadsController < ApplicationController
can?(current_user, :read_project, model.project)
when User
true
+ when Appearance
+ true
else
permission = "read_#{model.class.to_s.underscore}".to_sym
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index 7dedfe160a6..8000c9dec61 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -473,5 +473,45 @@ describe UploadsController do
end
end
end
+
+ context 'Appearance' do
+ context 'when viewing a custom header logo' do
+ let!(:appearance) { create :appearance, header_logo: fixture_file_upload(Rails.root.join('spec/fixtures/dk.png'), 'image/png') }
+
+ context 'when not signed in' do
+ it 'responds with status 200' do
+ get :show, model: 'appearance', mounted_as: 'header_logo', id: appearance.id, filename: 'dk.png'
+
+ expect(response).to have_http_status(200)
+ end
+
+ it_behaves_like 'content not cached without revalidation' do
+ subject do
+ get :show, model: 'appearance', mounted_as: 'header_logo', id: appearance.id, filename: 'dk.png'
+ response
+ end
+ end
+ end
+ end
+
+ context 'when viewing a custom logo' do
+ let!(:appearance) { create :appearance, logo: fixture_file_upload(Rails.root.join('spec/fixtures/dk.png'), 'image/png') }
+
+ context 'when not signed in' do
+ it 'responds with status 200' do
+ get :show, model: 'appearance', mounted_as: 'logo', id: appearance.id, filename: 'dk.png'
+
+ expect(response).to have_http_status(200)
+ end
+
+ it_behaves_like 'content not cached without revalidation' do
+ subject do
+ get :show, model: 'appearance', mounted_as: 'logo', id: appearance.id, filename: 'dk.png'
+ response
+ end
+ end
+ end
+ end
+ end
end
end
--
GitLab
From d50d2885082ef2f0f6f825f4c1d2bd54bd89a6b6 Mon Sep 17 00:00:00 2001
From: Alexis Reigel <mail@koffeinfrei.org>
Date: Thu, 18 May 2017 15:04:56 +0200
Subject: [PATCH 2/2] add changelog
---
.../unreleased/fix-allow-accessing-appearance-images.yml | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 changelogs/unreleased/fix-allow-accessing-appearance-images.yml
diff --git a/changelogs/unreleased/fix-allow-accessing-appearance-images.yml b/changelogs/unreleased/fix-allow-accessing-appearance-images.yml
new file mode 100644
index 00000000000..81118162bab
--- /dev/null
+++ b/changelogs/unreleased/fix-allow-accessing-appearance-images.yml
@@ -0,0 +1,4 @@
+---
+title: Fixes the 500 when accessing customized appearance logos
+merge_request: 11479
+author: Alexis Reigel
--
GitLab