Class: UploadsController

Inherits:
ApplicationController show all
Includes:
UploadsActions, WorkhorseRequest
Defined in:
app/controllers/uploads_controller.rb

Constant Summary collapse

UnknownUploadModelError =
Class.new(StandardError)
MODEL_CLASSES =
{
  "user" => User,
  "project" => Project,
  "note" => Note,
  "group" => Group,
  "appearance" => Appearance,
  "personal_snippet" => PersonalSnippet,
  "projects/topic" => Projects::Topic,
  'alert_management_metric_image' => ::AlertManagement::MetricImage,
  "achievements/achievement" => Achievements::Achievement,
  "abuse_report" => AbuseReport,
  nil => PersonalSnippet
}.freeze

Constants included from UploadsActions

UploadsActions::UPLOAD_MOUNTS

Constants included from Gitlab::EndpointAttributes

Gitlab::EndpointAttributes::DEFAULT_URGENCY

Constants included from Gitlab::Logging::CloudflareHelper

Gitlab::Logging::CloudflareHelper::CLOUDFLARE_CUSTOM_HEADERS

Constants included from Impersonation

Impersonation::SESSION_KEYS_TO_DELETE

Constants included from PreferredLanguageSwitcherHelper

PreferredLanguageSwitcherHelper::SWITCHER_MINIMUM_TRANSLATION_LEVEL

Constants included from Gitlab::NoCacheHeaders

Gitlab::NoCacheHeaders::DEFAULT_GITLAB_NO_CACHE_HEADERS

Class Method Summary collapse

Instance Method Summary collapse

Methods included from UploadsActions

#authorize, #create, #show

Methods included from SendFileUpload

#cdn_fronted_url, #content_type_for, #guess_content_type, #send_upload

Methods inherited from ApplicationController

endpoint_id_for_action, #feature_category, #not_found, #redirect_back_or_default, #render, #route_not_found, #urgency

Methods included from ContentSecurityPolicyPatch

#content_security_policy_with_context

Methods included from CheckRateLimit

#check_rate_limit!

Methods included from FlocOptOut

#floc_enabled?, #set_floc_opt_out_header

Methods included from Gitlab::Logging::CloudflareHelper

#store_cloudflare_headers!, #valid_cloudflare_header?

Methods included from Impersonation

#current_user

Methods included from InitializesCurrentUserMode

#current_user_mode

Methods included from SessionsHelper

#ensure_authenticated_session_time, #limit_session_time, #obfuscated_email, #recently_confirmed_com?, #remember_me_enabled?, #set_session_time, #unconfirmed_email?, #unconfirmed_verification_email?, #verification_data, #verification_email

Methods included from SessionlessAuthentication

#authenticate_sessionless_user!, #request_authenticator, #sessionless_bypass_admin_mode!, #sessionless_sign_in, #sessionless_user?

Methods included from PreferredLanguageSwitcherHelper

#ordered_selectable_locales

Methods included from Gitlab::SearchContext::ControllerConcern

#search_context

Methods included from EnforcesTwoFactorAuthentication

#check_two_factor_requirement, #current_user_requires_two_factor?, #mfa_help_page_url, #skip_two_factor?, #two_factor_authentication_reason, #two_factor_authentication_required?, #two_factor_grace_period, #two_factor_grace_period_expired?, #two_factor_skippable?, #two_factor_verifier

Methods included from WorkhorseHelper

#content_disposition_for_blob, #send_artifacts_entry, #send_dependency, #send_git_archive, #send_git_blob, #send_git_diff, #send_git_patch, #set_workhorse_internal_api_content_type, #workhorse_set_content_type!

Methods included from SafeParamsHelper

#safe_params

Methods included from PageLayoutHelper

#blank_container, #container_class, #favicon, #fluid_layout, #full_content_class, #header_title, #nav, #page_canonical_link, #page_card_attributes, #page_card_meta_tags, #page_description, #page_image, #page_itemtype, #page_title, #search_context, #sidebar, #user_status_properties

Methods included from Routing::PackagesHelper

#package_path

Methods included from Routing::PseudonymizationHelper

#masked_page_url

Methods included from Routing::GraphqlHelper

#graphql_etag_pipeline_path, #graphql_etag_pipeline_sha_path, #graphql_etag_project_on_demand_scan_counts_path

Methods included from Routing::WikiHelper

#wiki_page_path, #wiki_path

Methods included from Routing::SnippetsHelper

#gitlab_dashboard_snippets_path, #gitlab_raw_snippet_blob_path, #gitlab_raw_snippet_blob_url, #gitlab_raw_snippet_path, #gitlab_raw_snippet_url, #gitlab_snippet_note_path, #gitlab_snippet_note_url, #gitlab_snippet_notes_path, #gitlab_snippet_notes_url, #gitlab_snippet_path, #gitlab_snippet_url, #gitlab_toggle_award_emoji_snippet_note_path, #gitlab_toggle_award_emoji_snippet_note_url, #gitlab_toggle_award_emoji_snippet_path, #gitlab_toggle_award_emoji_snippet_url, #preview_markdown_path, #toggle_award_emoji_personal_snippet_path, #toggle_award_emoji_project_project_snippet_path, #toggle_award_emoji_project_project_snippet_url

Methods included from Routing::PipelineSchedulesHelper

#edit_pipeline_schedule_path, #pipeline_schedule_path, #pipeline_schedules_path, #play_pipeline_schedule_path, #take_ownership_pipeline_schedule_path

Methods included from Routing::ArtifactsHelper

#artifacts_action_path, #expose_fast_artifacts_path, #fast_browse_project_job_artifacts_path, #fast_download_project_job_artifacts_path, #fast_keep_project_job_artifacts_path

Methods included from Routing::MembersHelper

#source_members_url

Methods included from Routing::Groups::MembersHelper

#approve_access_request_group_member_path, #group_member_path, #group_members_url, #leave_group_members_path, #request_access_group_members_path, #resend_invite_group_member_path

Methods included from Routing::Projects::MembersHelper

#approve_access_request_project_member_path, #leave_project_members_path, #project_member_path, #project_members_url, #request_access_project_members_path, #resend_invite_project_member_path

Methods included from Routing::ProjectsHelper

#commit_url, #commits_url, #edit_milestone_path, #environment_delete_path, #environment_path, #issue_path, #issue_url, #merge_request_path, #merge_request_url, #pipeline_job_url, #pipeline_path, #pipeline_url, #project_commits_path, #project_ref_path, #project_tree_path, #release_url, #toggle_subscription_path, #work_item_url

Methods included from API::Helpers::RelatedResourcesHelpers

#expose_path, #expose_url, #issues_available?, #mrs_available?, #project_feature_string_access_level

Methods included from ApplicationSettingsHelper

#all_protocols_enabled?, #allowed_protocols_present?, #anti_spam_service_enabled?, #deprecated_attributes, #enabled_protocol, #enabled_protocol_button, #expanded_by_default?, #external_authorization_allow_token_help_text, #external_authorization_client_certificate_help_text, #external_authorization_client_key_help_text, #external_authorization_client_pass_help_text, #external_authorization_client_url_help_text, #external_authorization_description, #external_authorization_service_attributes, #external_authorization_timeout_help_text, #external_authorization_url_help_text, #http_enabled?, #import_sources_checkboxes, #instance_clusters_enabled?, #integration_expanded?, #key_restriction_options_for_select, #kroki_available_formats, #oauth_providers_checkboxes, #omnibus_protected_paths_throttle?, #pending_user_count, #registration_features_can_be_prompted?, #repository_storages_options_json, #restricted_level_checkboxes, #runner_token_expiration_interval_attributes, #sidekiq_job_limiter_mode_help_text, #sidekiq_job_limiter_modes_for_select, #signup_enabled?, #signup_form_data, #ssh_enabled?, #storage_weights, #user_oauth_applications?, #valid_runner_registrars, #visible_attributes

Methods included from ProjectsHelper

#able_to_see_forks_count?, #able_to_see_issues?, #able_to_see_merge_requests?, #any_projects?, #author_content_tag, #autodeploy_flash_notice, #badge_count, #branch_rules_path, #can_admin_associated_clusters?, #can_admin_project_member?, #can_change_visibility_level?, #can_disable_emails?, #can_push_code?, #can_view_branch_rules?, #clusters_deprecation_alert_message, #delete_confirm_phrase, #directory?, #error_tracking_setting_project_json, #explore_projects_tab?, #external_classification_label_help_message, #fork_button_data_attributes, #grafana_integration_enabled?, #grafana_integration_masked_token, #grafana_integration_url, #http_clone_url_to_repo, #import_from_bitbucket_message, #import_from_gitlab_message, #inactive_project_deletion_date, #last_pipeline_from_status_cache, #last_push_event, #link_to_autodeploy_doc, #link_to_member, #link_to_member_avatar, #link_to_project, #load_pipeline_status, #localized_project_human_access, #membership_locked?, #no_password_message, #project_can_be_shared?, #project_classes, #project_coverage_chart_data_attributes, #project_incident_management_setting, #project_license_name, #project_list_cache_key, #project_permissions_panel_data, #project_title, #push_to_create_project_command, #remote_mirror_setting_enabled?, #remove_fork_project_confirm_json, #remove_fork_project_description_message, #remove_fork_project_warning_message, #remove_project_message, #show_auto_devops_implicitly_enabled_banner?, #show_clusters_alert?, #show_count?, #show_inactive_project_deletion_banner?, #show_mobile_devops_project_promo?, #show_no_password_message?, #show_no_ssh_key_message?, #show_projects?, #show_terraform_banner?, #show_xcode_link?, #ssh_clone_url_to_repo, #transfer_project_message, #visibility_level_content, #visible_fork_source, #vue_fork_divergence_data, #xcode_uri_to_repo

Methods included from Gitlab::Allowable

#can?

Methods included from CompareHelper

#create_mr_button?, #create_mr_path, #project_compare_selector_data, #target_projects

Methods included from Gitlab::NoCacheHeaders

#no_cache_headers

Methods included from Gitlab::GonHelper

#add_browsersdk_tracking, #add_gon_variables, #default_avatar_url, #push_force_frontend_feature_flag, #push_frontend_feature_flag, #push_to_gon_attributes

Methods included from WebpackHelper

#prefetch_link_tag, #webpack_bundle_tag, #webpack_controller_bundle_tags, #webpack_entrypoint_paths, #webpack_preload_asset_tag, #webpack_public_host, #webpack_public_path

Methods included from ViteHelper

#universal_asset_path, #universal_javascript_include_tag

Class Method Details

.model_classesObject



34
35
36
# File 'app/controllers/uploads_controller.rb', line 34

def self.model_classes
  MODEL_CLASSES
end

Instance Method Details

#authorize_access!Object



73
74
75
# File 'app/controllers/uploads_controller.rb', line 73

def authorize_access!
  render_unauthorized unless authorized?
end

#authorize_create_access!Object



77
78
79
80
81
82
83
84
85
86
87
# File 'app/controllers/uploads_controller.rb', line 77

def authorize_create_access!
  authorized =
    case model
    when User
      can?(current_user, :update_user, model)
    else
      can?(current_user, :create_note, model)
    end

  render_unauthorized unless authorized
end

#authorized?Boolean

Returns:

  • (Boolean)


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'app/controllers/uploads_controller.rb', line 46

def authorized?
  case model
  when Note
    can?(current_user, :read_project, model.project)
  when Snippet, ProjectSnippet
    can?(current_user, :read_snippet, model)
  when User
    # We validate the current user has enough (writing)
    # access to itself when a secret is given.
    # For instance, user avatars are readable by anyone,
    # while temporary, user snippet uploads are not.
    return false if !current_user && public_visibility_restricted?

    !secret? || can?(current_user, :update_user, model)
  when Appearance
    true
  when Projects::Topic
    true
  when ::AlertManagement::MetricImage
    can?(current_user, :read_alert_management_metric_image, model.alert)
  when ::Achievements::Achievement
    true
  else
    can?(current_user, "read_#{model.class.underscore}".to_sym, model)
  end
end

#cache_settingsObject



97
98
99
100
101
102
103
104
# File 'app/controllers/uploads_controller.rb', line 97

def cache_settings
  case model
  when User, Appearance, Projects::Topic, Achievements::Achievement
    [5.minutes, { public: true, must_revalidate: false }]
  when Project, Group
    [5.minutes, { private: true, must_revalidate: true }]
  end
end

#find_modelObject



42
43
44
# File 'app/controllers/uploads_controller.rb', line 42

def find_model
  upload_model_class.find(params[:id])
end

#render_unauthorizedObject



89
90
91
92
93
94
95
# File 'app/controllers/uploads_controller.rb', line 89

def render_unauthorized
  if current_user || workhorse_authorize_request?
    render_404
  else
    authenticate_user!
  end
end

#secret?Boolean

Returns:

  • (Boolean)


106
107
108
# File 'app/controllers/uploads_controller.rb', line 106

def secret?
  params[:secret].present?
end

#upload_model_classObject



110
111
112
# File 'app/controllers/uploads_controller.rb', line 110

def upload_model_class
  self.class.model_classes[params[:model]] || raise(UnknownUploadModelError)
end

#upload_model_class_has_mounts?Boolean

Returns:

  • (Boolean)


114
115
116
# File 'app/controllers/uploads_controller.rb', line 114

def upload_model_class_has_mounts?
  upload_model_class < CarrierWave::Mount::Extension
end

#upload_mount_satisfied?Boolean

Returns:

  • (Boolean)


118
119
120
121
122
# File 'app/controllers/uploads_controller.rb', line 118

def upload_mount_satisfied?
  return true unless upload_model_class_has_mounts?

  upload_model_class.uploader_options.has_key?(upload_mount)
end

#uploader_classObject



38
39
40
# File 'app/controllers/uploads_controller.rb', line 38

def uploader_class
  PersonalFileUploader
end