Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
45ced6c5
Commit
45ced6c5
authored
Sep 21, 2018
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Redact events shown in the events API
parent
8c219294
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
89 additions
and
3 deletions
+89
-3
app/finders/events_finder.rb
app/finders/events_finder.rb
+1
-0
app/finders/user_recent_events_finder.rb
app/finders/user_recent_events_finder.rb
+1
-0
lib/api/events.rb
lib/api/events.rb
+19
-3
spec/requests/api/redacted_events_spec.rb
spec/requests/api/redacted_events_spec.rb
+68
-0
No files found.
app/finders/events_finder.rb
View file @
45ced6c5
...
@@ -12,6 +12,7 @@ class EventsFinder
...
@@ -12,6 +12,7 @@ class EventsFinder
# Arguments:
# Arguments:
# source - which user or project to looks for events on
# source - which user or project to looks for events on
# current_user - only return events for projects visible to this user
# current_user - only return events for projects visible to this user
# WARNING: does not consider project feature visibility!
# params:
# params:
# action: string
# action: string
# target_type: string
# target_type: string
...
...
app/finders/user_recent_events_finder.rb
View file @
45ced6c5
...
@@ -3,6 +3,7 @@
...
@@ -3,6 +3,7 @@
# Get user activity feed for projects common for a user and a logged in user
# Get user activity feed for projects common for a user and a logged in user
#
#
# - current_user: The user viewing the events
# - current_user: The user viewing the events
# WARNING: does not consider project feature visibility!
# - user: The user for which to load the events
# - user: The user for which to load the events
# - params:
# - params:
# - offset: The page of events to return
# - offset: The page of events to return
...
...
lib/api/events.rb
View file @
45ced6c5
...
@@ -16,12 +16,27 @@ module API
...
@@ -16,12 +16,27 @@ module API
desc:
'Return events sorted in ascending and descending order'
desc:
'Return events sorted in ascending and descending order'
end
end
RedactedEvent
=
OpenStruct
.
new
(
target_title:
'Confidential event'
).
freeze
def
redact_events
(
events
)
events
.
map
do
|
event
|
if
event
.
visible_to_user?
(
current_user
)
event
else
RedactedEvent
end
end
end
# rubocop: disable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def
present_events
(
events
)
def
present_events
(
events
,
redact:
true
)
events
=
events
.
reorder
(
created_at:
params
[
:sort
])
events
=
events
.
reorder
(
created_at:
params
[
:sort
])
.
with_associations
.
with_associations
present
paginate
(
events
),
with:
Entities
::
Event
events
=
paginate
(
events
)
events
=
redact_events
(
events
)
if
redact
present
events
,
with:
Entities
::
Event
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: enable CodeReuse/ActiveRecord
end
end
...
@@ -44,7 +59,8 @@ module API
...
@@ -44,7 +59,8 @@ module API
events
=
EventsFinder
.
new
(
params
.
merge
(
source:
current_user
,
current_user:
current_user
)).
execute
.
preload
(
:author
,
:target
)
events
=
EventsFinder
.
new
(
params
.
merge
(
source:
current_user
,
current_user:
current_user
)).
execute
.
preload
(
:author
,
:target
)
present_events
(
events
)
# Since we're viewing our own events, redaction is unnecessary
present_events
(
events
,
redact:
false
)
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: enable CodeReuse/ActiveRecord
end
end
...
...
spec/requests/api/redacted_events_spec.rb
0 → 100644
View file @
45ced6c5
require
'spec_helper'
describe
'Redacted events in API::Events'
do
shared_examples
'private events are redacted'
do
it
'redacts events the user does not have access to'
do
expect_any_instance_of
(
Event
).
to
receive
(
:visible_to_user?
).
and_call_original
get
api
(
path
),
user
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
json_response
).
to
contain_exactly
(
'project_id'
=>
nil
,
'action_name'
=>
nil
,
'target_id'
=>
nil
,
'target_iid'
=>
nil
,
'target_type'
=>
nil
,
'author_id'
=>
nil
,
'target_title'
=>
'Confidential event'
,
'created_at'
=>
nil
,
'author_username'
=>
nil
)
end
end
describe
'/users/:id/events'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:path
)
{
"/users/
#{
project
.
owner
.
id
}
/events"
}
let
(
:issue
)
{
create
(
:issue
,
:confidential
,
project:
project
)
}
before
do
EventCreateService
.
new
.
open_issue
(
issue
,
issue
.
author
)
end
context
'unauthenticated user views another user with private events'
do
let
(
:user
)
{
nil
}
include_examples
'private events are redacted'
end
context
'authenticated user without access views another user with private events'
do
let
(
:user
)
{
create
(
:user
)
}
include_examples
'private events are redacted'
end
end
describe
'/projects/:id/events'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:path
)
{
"/projects/
#{
project
.
id
}
/events"
}
let
(
:issue
)
{
create
(
:issue
,
:confidential
,
project:
project
)
}
before
do
EventCreateService
.
new
.
open_issue
(
issue
,
issue
.
author
)
end
context
'unauthenticated user views public project'
do
let
(
:user
)
{
nil
}
include_examples
'private events are redacted'
end
context
'authenticated user without access views public project'
do
let
(
:user
)
{
create
(
:user
)
}
include_examples
'private events are redacted'
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment