Class: UploadsController

Inherits:
ApplicationController show all
Includes:
UploadsActions, WorkhorseRequest
Defined in:
app/controllers/uploads_controller.rb

Constant Summary collapse

UnknownUploadModelError =
Class.new(StandardError)
MODEL_CLASSES =
{
  "user"             => User,
  "project"          => Project,
  "note"             => Note,
  "group"            => Group,
  "appearance"       => Appearance,
  "personal_snippet" => PersonalSnippet,
  "projects/topic"   => Projects::Topic,
  'alert_management_metric_image' => ::AlertManagement::MetricImage,
  nil => PersonalSnippet
}.freeze

Constants included from UploadsActions

UploadsActions::UPLOAD_MOUNTS

Constants included from Gitlab::EndpointAttributes

Gitlab::EndpointAttributes::DEFAULT_URGENCY

Constants included from Gitlab::Logging::CloudflareHelper

Gitlab::Logging::CloudflareHelper::CLOUDFLARE_CUSTOM_HEADERS

Constants included from Impersonation

Impersonation::SESSION_KEYS_TO_DELETE

Constants included from Gitlab::Experimentation::GroupTypes

Gitlab::Experimentation::GroupTypes::GROUP_CONTROL, Gitlab::Experimentation::GroupTypes::GROUP_EXPERIMENTAL

Constants included from EnforcesTwoFactorAuthentication

EnforcesTwoFactorAuthentication::MFA_HELP_PAGE

Constants included from Gitlab::NoCacheHeaders

Gitlab::NoCacheHeaders::DEFAULT_GITLAB_NO_CACHE_HEADERS

Class Method Summary collapse

Instance Method Summary collapse

Methods included from UploadsActions

#authorize, #create, #show

Methods included from SendFileUpload

#content_type_for, #guess_content_type, #send_upload

Methods included from Gitlab::Utils::StrongMemoize

#clear_memoization, #strong_memoize, #strong_memoized?

Methods inherited from ApplicationController

endpoint_id_for_action, #feature_category, #not_found, #redirect_back_or_default, #render, #route_not_found, #urgency

Methods included from CheckRateLimit

#check_rate_limit!

Methods included from FlocOptOut

#floc_enabled?, #set_floc_opt_out_header

Methods included from Gitlab::Logging::CloudflareHelper

#store_cloudflare_headers!, #valid_cloudflare_header?

Methods included from Impersonation

#current_user

Methods included from InitializesCurrentUserMode

#current_user_mode

Methods included from Gitlab::Experimentation::ControllerConcern

#experiment_enabled?, #experiment_tracking_category_and_group, #frontend_experimentation_tracking_data, #push_frontend_experiment, #record_experiment_conversion_event, #record_experiment_group, #record_experiment_user, #set_experimentation_subject_id_cookie, #track_experiment_event

Methods included from Gitlab::Tracking::Helpers

#dnt_enabled?, #trackable_html_request?

Methods included from SessionsHelper

#ensure_authenticated_session_time, #limit_session_time, #recently_confirmed_com?, #set_session_time, #unconfirmed_email?

Methods included from SessionlessAuthentication

#authenticate_sessionless_user!, #request_authenticator, #sessionless_bypass_admin_mode!, #sessionless_sign_in, #sessionless_user?

Methods included from Gitlab::SearchContext::ControllerConcern

#search_context

Methods included from EnforcesTwoFactorAuthentication

#check_two_factor_requirement, #current_user_requires_two_factor?, #skip_two_factor?, #two_factor_authentication_reason, #two_factor_authentication_required?, #two_factor_grace_period, #two_factor_grace_period_expired?, #two_factor_skippable?, #two_factor_verifier

Methods included from WorkhorseHelper

#content_disposition_for_blob, #send_artifacts_entry, #send_dependency, #send_git_archive, #send_git_blob, #send_git_diff, #send_git_patch, #set_workhorse_internal_api_content_type, #workhorse_set_content_type!

Methods included from SafeParamsHelper

#safe_params

Methods included from PageLayoutHelper

#blank_container, #container_class, #favicon, #fluid_layout, #header_title, #nav, #page_canonical_link, #page_card_attributes, #page_card_meta_tags, #page_description, #page_image, #page_itemtype, #page_title, #search_context, #sidebar, #user_status_properties

Methods included from Routing::PseudonymizationHelper

#masked_page_url

Methods included from Routing::GraphqlHelper

#graphql_etag_pipeline_path, #graphql_etag_pipeline_sha_path, #graphql_etag_project_on_demand_scan_counts_path

Methods included from Routing::WikiHelper

#wiki_page_path, #wiki_path

Methods included from Routing::SnippetsHelper

#gitlab_dashboard_snippets_path, #gitlab_raw_snippet_blob_path, #gitlab_raw_snippet_blob_url, #gitlab_raw_snippet_path, #gitlab_raw_snippet_url, #gitlab_snippet_note_path, #gitlab_snippet_note_url, #gitlab_snippet_notes_path, #gitlab_snippet_notes_url, #gitlab_snippet_path, #gitlab_snippet_url, #gitlab_toggle_award_emoji_snippet_note_path, #gitlab_toggle_award_emoji_snippet_note_url, #gitlab_toggle_award_emoji_snippet_path, #gitlab_toggle_award_emoji_snippet_url, #preview_markdown_path, #toggle_award_emoji_personal_snippet_path, #toggle_award_emoji_project_project_snippet_path, #toggle_award_emoji_project_project_snippet_url

Methods included from Routing::PipelineSchedulesHelper

#edit_pipeline_schedule_path, #pipeline_schedule_path, #pipeline_schedules_path, #play_pipeline_schedule_path, #take_ownership_pipeline_schedule_path

Methods included from Routing::ArtifactsHelper

#artifacts_action_path, #expose_fast_artifacts_path, #fast_browse_project_job_artifacts_path, #fast_download_project_job_artifacts_path, #fast_keep_project_job_artifacts_path

Methods included from Routing::MembersHelper

#source_members_url

Methods included from Routing::Groups::MembersHelper

#approve_access_request_group_member_path, #group_member_path, #group_members_url, #leave_group_members_path, #request_access_group_members_path, #resend_invite_group_member_path

Methods included from Routing::Projects::MembersHelper

#approve_access_request_project_member_path, #leave_project_members_path, #project_member_path, #project_members_url, #request_access_project_members_path, #resend_invite_project_member_path

Methods included from Routing::ProjectsHelper

#commit_url, #commits_url, #edit_milestone_path, #environment_delete_path, #environment_path, #issue_path, #issue_url, #merge_request_path, #merge_request_url, #pipeline_job_url, #pipeline_path, #pipeline_url, #project_commits_path, #project_ref_path, #project_tree_path, #release_url, #toggle_subscription_path

Methods included from API::Helpers::RelatedResourcesHelpers

#expose_path, #expose_url, #issues_available?, #mrs_available?

Methods included from ApplicationSettingsHelper

#all_protocols_enabled?, #allowed_protocols_present?, #deprecated_attributes, #enabled_protocol, #enabled_protocol_button, #expanded_by_default?, #external_authorization_client_certificate_help_text, #external_authorization_client_key_help_text, #external_authorization_client_pass_help_text, #external_authorization_client_url_help_text, #external_authorization_description, #external_authorization_service_attributes, #external_authorization_timeout_help_text, #external_authorization_url_help_text, #http_enabled?, #import_sources_checkboxes, #instance_clusters_enabled?, #integration_expanded?, #key_restriction_options_for_select, #kroki_available_formats, #oauth_providers_checkboxes, #omnibus_protected_paths_throttle?, #pending_user_count, #registration_features_can_be_prompted?, #repository_storages_options_json, #restricted_level_checkboxes, #self_monitoring_project_data, #sidekiq_job_limiter_mode_help_text, #sidekiq_job_limiter_modes_for_select, #signup_enabled?, #ssh_enabled?, #storage_weights, #user_oauth_applications?, #valid_runner_registrars, #visible_attributes

Methods included from ProjectsHelper

#able_to_see_issues?, #able_to_see_merge_requests?, #any_projects?, #author_content_tag, #autodeploy_flash_notice, #can_admin_project_member?, #can_change_visibility_level?, #can_disable_emails?, #delete_confirm_phrase, #directory?, #error_tracking_setting_project_json, #explore_projects_tab?, #external_classification_label_help_message, #fork_button_disabled_tooltip, #grafana_integration_enabled?, #grafana_integration_masked_token, #grafana_integration_url, #import_from_bitbucket_message, #import_from_gitlab_message, #last_push_event, #link_to_autodeploy_doc, #link_to_member, #link_to_member_avatar, #link_to_project, #load_pipeline_status, #membership_locked?, #metrics_dashboard_timezone, #metrics_external_dashboard_url, #no_password_message, #project_can_be_shared?, #project_classes, #project_incident_management_setting, #project_license_name, #project_list_cache_key, #project_permissions_panel_data, #project_search_tabs?, #project_title, #push_to_create_project_command, #remove_fork_project_confirm_json, #remove_fork_project_description_message, #remove_fork_project_warning_message, #remove_project_message, #share_project_description, #show_auto_devops_implicitly_enabled_banner?, #show_issue_count?, #show_merge_request_count?, #show_no_password_message?, #show_no_ssh_key_message?, #show_projects?, #show_terraform_banner?, #show_xcode_link?, #transfer_project_message, #visible_fork_source, #xcode_uri_to_repo

Methods included from Gitlab::NoCacheHeaders

#no_cache_headers

Methods included from Gitlab::GonHelper

#add_gon_variables, #default_avatar_url, #push_force_frontend_feature_flag, #push_frontend_feature_flag, #push_to_gon_attributes

Methods included from WebpackHelper

#prefetch_link_tag, #webpack_bundle_tag, #webpack_controller_bundle_tags, #webpack_entrypoint_paths, #webpack_preload_asset_tag, #webpack_public_host, #webpack_public_path

Class Method Details

.model_classesObject


32
33
34
# File 'app/controllers/uploads_controller.rb', line 32

def self.model_classes
  MODEL_CLASSES
end

Instance Method Details

#authorize_access!Object


67
68
69
# File 'app/controllers/uploads_controller.rb', line 67

def authorize_access!
  render_unauthorized unless authorized?
end

#authorize_create_access!Object


71
72
73
74
75
76
77
78
79
80
81
# File 'app/controllers/uploads_controller.rb', line 71

def authorize_create_access!
  authorized =
    case model
    when User
      can?(current_user, :update_user, model)
    else
      can?(current_user, :create_note, model)
    end

  render_unauthorized unless authorized
end

#authorized?Boolean

Returns:

  • (Boolean)

44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'app/controllers/uploads_controller.rb', line 44

def authorized?
  case model
  when Note
    can?(current_user, :read_project, model.project)
  when Snippet, ProjectSnippet
    can?(current_user, :read_snippet, model)
  when User
    # We validate the current user has enough (writing)
    # access to itself when a secret is given.
    # For instance, user avatars are readable by anyone,
    # while temporary, user snippet uploads are not.
    !secret? || can?(current_user, :update_user, model)
  when Appearance
    true
  when Projects::Topic
    true
  when ::AlertManagement::MetricImage
    can?(current_user, :read_alert_management_metric_image, model.alert)
  else
    can?(current_user, "read_#{model.class.underscore}".to_sym, model)
  end
end

#cache_settingsObject


91
92
93
94
95
96
97
98
# File 'app/controllers/uploads_controller.rb', line 91

def cache_settings
  case model
  when User, Appearance, Projects::Topic
    [5.minutes, { public: true, must_revalidate: false }]
  when Project, Group
    [5.minutes, { private: true, must_revalidate: true }]
  end
end

#find_modelObject


40
41
42
# File 'app/controllers/uploads_controller.rb', line 40

def find_model
  upload_model_class.find(params[:id])
end

#render_unauthorizedObject


83
84
85
86
87
88
89
# File 'app/controllers/uploads_controller.rb', line 83

def render_unauthorized
  if current_user || workhorse_authorize_request?
    render_404
  else
    authenticate_user!
  end
end

#secret?Boolean

Returns:

  • (Boolean)

100
101
102
# File 'app/controllers/uploads_controller.rb', line 100

def secret?
  params[:secret].present?
end

#upload_model_classObject


104
105
106
# File 'app/controllers/uploads_controller.rb', line 104

def upload_model_class
  self.class.model_classes[params[:model]] || raise(UnknownUploadModelError)
end

#upload_model_class_has_mounts?Boolean

Returns:

  • (Boolean)

108
109
110
# File 'app/controllers/uploads_controller.rb', line 108

def upload_model_class_has_mounts?
  upload_model_class < CarrierWave::Mount::Extension
end

#upload_mount_satisfied?Boolean

Returns:

  • (Boolean)

112
113
114
115
116
# File 'app/controllers/uploads_controller.rb', line 112

def upload_mount_satisfied?
  return true unless upload_model_class_has_mounts?

  upload_model_class.uploader_options.has_key?(upload_mount)
end

#uploader_classObject


36
37
38
# File 'app/controllers/uploads_controller.rb', line 36

def uploader_class
  PersonalFileUploader
end