Class: UploadsController

Inherits:
ApplicationController show all
Includes:
UploadsActions, WorkhorseRequest
Defined in:
app/controllers/uploads_controller.rb

Constant Summary collapse

UnknownUploadModelError =
Class.new(StandardError)
MODEL_CLASSES =
{
  "user"             => User,
  "project"          => Project,
  "note"             => Note,
  "group"            => Group,
  "appearance"       => Appearance,
  "personal_snippet" => PersonalSnippet,
  nil                => PersonalSnippet
}.freeze

Constants included from UploadsActions

UploadsActions::UPLOAD_MOUNTS

Constants inherited from ApplicationController

ApplicationController::DEFAULT_GITLAB_CACHE_CONTROL

Constants included from Gitlab::Logging::CloudflareHelper

Gitlab::Logging::CloudflareHelper::CLOUDFLARE_CUSTOM_HEADERS

Constants included from Gitlab::NoCacheHeaders

Gitlab::NoCacheHeaders::DEFAULT_GITLAB_NO_CACHE_HEADERS

Instance Method Summary collapse

Methods included from UploadsActions

#authorize, #create, #show

Methods included from SendFileUpload

#content_type_for, #guess_content_type, #send_upload

Methods included from Gitlab::Utils::StrongMemoize

#clear_memoization, #strong_memoize, #strong_memoized?

Methods inherited from ApplicationController

#not_found, #redirect_back_or_default, #render, #route_not_found

Methods included from Gitlab::Logging::CloudflareHelper

#store_cloudflare_headers!, #valid_cloudflare_header?

Methods included from Impersonation

#current_user

Methods included from InitializesCurrentUserMode

#current_user_mode

Methods included from Gitlab::Experimentation::ControllerConcern

#experiment_enabled?, #experiment_tracking_category_and_group, #frontend_experimentation_tracking_data, #record_experiment_user, #set_experimentation_subject_id_cookie, #track_experiment_event

Methods included from SessionsHelper

#limit_session_time, #unconfirmed_email?

Methods included from SessionlessAuthentication

#authenticate_sessionless_user!, #sessionless_bypass_admin_mode!, #sessionless_sign_in, #sessionless_user?

Methods included from Gitlab::SearchContext::ControllerConcern

#search_context

Methods included from EnforcesTwoFactorAuthentication

#check_two_factor_requirement, #current_user_requires_two_factor?, #skip_two_factor?, #two_factor_authentication_reason, #two_factor_authentication_required?, #two_factor_grace_period, #two_factor_grace_period_expired?, #two_factor_skippable?, #two_factor_verifier

Methods included from WorkhorseHelper

#send_artifacts_entry, #send_git_archive, #send_git_blob, #send_git_diff, #send_git_patch, #set_workhorse_internal_api_content_type, #workhorse_set_content_type!

Methods included from SafeParamsHelper

#safe_params

Methods included from PageLayoutHelper

#blank_container, #container_class, #favicon, #fluid_layout, #header_title, #nav, #page_card_attributes, #page_card_meta_tags, #page_description, #page_image, #page_title, #search_context, #sidebar

Methods included from GitlabRoutingHelper

#approve_access_request_group_member_path, #approve_access_request_project_member_path, #artifacts_action_path, #commit_url, #commits_url, #edit_milestone_path, #edit_pipeline_schedule_path, #environment_delete_path, #environment_metrics_path, #environment_path, #expose_fast_artifacts_path, #fast_browse_project_job_artifacts_path, #fast_download_project_job_artifacts_path, #fast_keep_project_job_artifacts_path, #gitlab_dashboard_snippets_path, #gitlab_raw_snippet_blob_path, #gitlab_raw_snippet_blob_url, #gitlab_raw_snippet_path, #gitlab_raw_snippet_url, #gitlab_snippet_note_path, #gitlab_snippet_note_url, #gitlab_snippet_notes_path, #gitlab_snippet_notes_url, #gitlab_snippet_path, #gitlab_snippet_url, #gitlab_toggle_award_emoji_snippet_note_path, #gitlab_toggle_award_emoji_snippet_note_url, #gitlab_toggle_award_emoji_snippet_path, #gitlab_toggle_award_emoji_snippet_url, #group_member_path, #group_members_url, #issue_path, #issue_url, #leave_group_members_path, #leave_project_members_path, #merge_request_path, #merge_request_url, #pipeline_job_url, #pipeline_path, #pipeline_schedule_path, #pipeline_schedules_path, #pipeline_url, #play_pipeline_schedule_path, #preview_markdown_path, #project_commits_path, #project_member_path, #project_members_url, #project_ref_path, #project_tree_path, #request_access_group_members_path, #request_access_project_members_path, #resend_invite_group_member_path, #resend_invite_project_member_path, #take_ownership_pipeline_schedule_path, #toggle_award_emoji_personal_snippet_path, #toggle_award_emoji_project_project_snippet_path, #toggle_award_emoji_project_project_snippet_url, #toggle_subscription_path, #wiki_page_path, #wiki_path

Methods included from API::Helpers::RelatedResourcesHelpers

#expose_path, #expose_url, #issues_available?, #mrs_available?

Methods included from Gitlab::NoCacheHeaders

#no_cache_headers

Methods included from Gitlab::GonHelper

#add_gon_variables, #default_avatar_url, #push_frontend_feature_flag

Methods included from WebpackHelper

#webpack_bundle_tag, #webpack_controller_bundle_tags, #webpack_entrypoint_paths, #webpack_public_host, #webpack_public_path

Methods included from StartupCssHelper

#use_startup_css?

Instance Method Details

#authorize_access!Object


37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'app/controllers/uploads_controller.rb', line 37

def authorize_access!
  return unless model

  authorized =
    case model
    when Note
      can?(current_user, :read_project, model.project)
    when Snippet, ProjectSnippet
      can?(current_user, :read_snippet, model)
    when User
      # We validate the current user has enough (writing)
      # access to itself when a secret is given.
      # For instance, user avatars are readable by anyone,
      # while temporary, user snippet uploads are not.
      !secret? || can?(current_user, :update_user, model)
    when Appearance
      true
    else
      permission = "read_#{model.class.underscore}".to_sym

      can?(current_user, permission, model)
    end

  render_unauthorized unless authorized
end

#authorize_create_access!Object


63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'app/controllers/uploads_controller.rb', line 63

def authorize_create_access!
  return unless model

  authorized =
    case model
    when User
      can?(current_user, :update_user, model)
    else
      can?(current_user, :create_note, model)
    end

  render_unauthorized unless authorized
end

#cache_settingsObject


85
86
87
88
89
90
91
92
# File 'app/controllers/uploads_controller.rb', line 85

def cache_settings
  case model
  when User, Appearance
    [5.minutes, { public: true, must_revalidate: false }]
  when Project, Group
    [5.minutes, { private: true, must_revalidate: true }]
  end
end

#find_modelObject


31
32
33
34
35
# File 'app/controllers/uploads_controller.rb', line 31

def find_model
  return unless params[:id]

  upload_model_class.find(params[:id])
end

#render_unauthorizedObject


77
78
79
80
81
82
83
# File 'app/controllers/uploads_controller.rb', line 77

def render_unauthorized
  if current_user || workhorse_authorize_request?
    render_404
  else
    authenticate_user!
  end
end

#secret?Boolean

Returns:

  • (Boolean)

94
95
96
# File 'app/controllers/uploads_controller.rb', line 94

def secret?
  params[:secret].present?
end

#upload_model_classObject


98
99
100
# File 'app/controllers/uploads_controller.rb', line 98

def upload_model_class
  MODEL_CLASSES[params[:model]] || raise(UnknownUploadModelError)
end

#upload_model_class_has_mounts?Boolean

Returns:

  • (Boolean)

102
103
104
# File 'app/controllers/uploads_controller.rb', line 102

def upload_model_class_has_mounts?
  upload_model_class < CarrierWave::Mount::Extension
end

#upload_mount_satisfied?Boolean

Returns:

  • (Boolean)

106
107
108
109
110
# File 'app/controllers/uploads_controller.rb', line 106

def upload_mount_satisfied?
  return true unless upload_model_class_has_mounts?

  upload_model_class.uploader_options.has_key?(upload_mount)
end

#uploader_classObject


27
28
29
# File 'app/controllers/uploads_controller.rb', line 27

def uploader_class
  PersonalFileUploader
end