WIP: Secret personal snippets
What does this MR do?
- Issue - #14201
- Original MR - gitlab-foss!24042 (closed)
This MR adds support for a new visibility level for Snippets called Secret. A Secret Snippet can be viewed by anyone with the correct URL. Secret Snippets are not search-able for non-author users.
The core mechanism for making a Snippet Secret vs. Public is via the introduction of the ?token=<unique secret>
query param which is stored in the snippets
table in the secret_token
attribute. Snippet#secret_token
is populated via the before_save
AR hook and currently uses SecureRandom.hex
.
Because ?token=<unique secret>
needs to be provided in order to view a Secret Snippet, it should also be fairly easy to re-generate <unique secret>
(perhaps via a button within Snippet edit mode). This ability allows existing URL's containing ?token=<original unique secret>
to be rendered invalid and offers some ability to the author to reset/reduce exposure should they need it.
TODO
-
Add missing unit tests -
Create QA tests
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team