WIP: Secret personal snippets
What does this MR do?
This MR adds support for a new visibility level for Snippets called Secret. A Secret Snippet can be viewed by anyone with the correct URL. Secret Snippets are not search-able.
The core mechanism for making a Snippet Secret vs. Public is via the introduction of the ?secret=<unique secret>
query param which is stored in the snippets
table in the secret_word
attribute. Snippet#secret_word
is populated via the before_save
AR hook and currently uses SecureRandom.hex
.
Because ?secret=<unique secret>
needs to be provided in order to view a Secret Snippet, it should also be fairly easy to re-generate <unique secret>
(perhaps via a button within Snippet edit mode). This ability allows existing URL's containing ?secret=<original unique secret>
to be rendered invalid and offers some ability to the author to reset / reduce exposure should they need it.
TODO
-
Add missing unit tests -
Create QA tests
Public Snippet (58)
http://localhost:3000/snippets/58
Secret Snippet (57 - as an authenticated user who is the author)
http://localhost:3000/snippets/57?secret=6b53dafbb1e9492ea1dce70081e0ed0e
Secret Snippet (57 - as an authenticated user who is not the author)
http://localhost:3000/snippets/57?secret=6b53dafbb1e9492ea1dce70081e0ed0e
Searching through Snippets - as an unauthenticated user
http://localhost:3000/search?utf8=%E2%9C%93&snippets=true&scope=&search=bleepers
Searching through Snippets - as an authenticated user (but not the author of Secret Snippet 57)
http://localhost:3000/search?utf8=%E2%9C%93&snippets=true&scope=&search=bleepers
Searching through Snippets - as an authenticated user who is the author of Secret Snippet 57
http://localhost:3000/search?utf8=%E2%9C%93&snippets=true&scope=&search=bleepers
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process. -
Security reports checked/validated by reviewer
Closes #13235 (moved)