WIP: Secret personal snippets without visibility level
What does this MR do?
This MR adds support for a new visibility level for Snippets without actually adding a new visibility level. A Secret Snippet can be viewed by anyone with the correct URL. Secret Snippets are not search-able for non-author users.
The core mechanism for making a Snippet Secret vs. Public is via the introduction of the ?token=<unique secret>
query param which is stored in the snippets
table in the secret_token
attribute. Snippet#secret_token
is populated via the before_save
AR hook and currently uses SecureRandom.hex
.
Because ?token=<unique secret>
needs to be provided in order to view a Secret Snippet, it should also be fairly easy to re-generate <unique secret>
(perhaps via a button within Snippet edit mode). This ability allows existing URL's containing ?token=<original unique secret>
to be rendered invalid and offers some ability to the author to reset/reduce exposure should they need it.
Refs #14201