From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Fri, 15 Feb 2013 07:51:21 +0000 (+0200)
Subject: Per project protection
X-Git-Tag: v5.0.0~278^2
X-Git-Url: http://git.sourceforge.jp/view?a=commitdiff_plain;h=f6cc71bc36283223a10f3004121be34f06547d94;p=wvm%2Fgitlab.git

Per project protection
---

diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
index 09f1e5512..3cd2e7732 100644
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@@ -1,7 +1,13 @@
 class FilesController < ApplicationController
   def download
-    uploader = Note.find(params[:id]).attachment
-    send_file uploader.file.path, disposition: 'attachment'
+    note = Note.find(params[:id])
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
+      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
   end
 end