Fix broken access control for note attachments (!332) · Merge requests · GitLab.org / GitLab FOSS

Hannes Rosenögger requested to merge haynes/gitlab-ce:fix_access_control_notes into master Feb 10, 2015

What does this MR do?

This MR fixes the broken access control for note attachments by moving the note folder outside of the public folder.
It also adds an avatar uploader because the avatars used the attachment uploader and they should stay in the uploads folder without access control.

Are there points in the code the reviewer needs to double check?

Yes! This MR modifies the backup and restore task so the reviewer needs to tripple check the changes in:

lib/backup/uploads.rb
lib/backup/manager.rb

A broken backup functionality would be pretty bad.

Another thing that needs to be checked carefully is the migration of the note folder.

Why was this MR needed?

As discussed in gitlab-org/gitlab-ce!265 this fixes the broken access control for note attachments.

@DouweM Can you review this please? I didn't manage to get the extension_white_list function to work, so i left the image function in for now. (makes this MR smaller actually) We can refactor this in a later MR.

Fix broken access control for note attachments

What does this MR do?

Are there points in the code the reviewer needs to double check?

Why was this MR needed?

Merge request reports