Commit ca324614 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-33689-post-filter-search-results-ce' into 'master'

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3493
parents 64d59e7e 920c7a4a
...@@ -16,6 +16,7 @@ class Discussion ...@@ -16,6 +16,7 @@ class Discussion
:commit_id, :commit_id,
:for_commit?, :for_commit?,
:for_merge_request?, :for_merge_request?,
:noteable_ability_name,
:to_ability_name, :to_ability_name,
:editable?, :editable?,
:visible_for?, :visible_for?,
......
...@@ -261,6 +261,10 @@ class Milestone < ApplicationRecord ...@@ -261,6 +261,10 @@ class Milestone < ApplicationRecord
group || project group || project
end end
def to_ability_name
model_name.singular
end
def group_milestone? def group_milestone?
group_id.present? group_id.present?
end end
......
...@@ -361,6 +361,10 @@ class Note < ApplicationRecord ...@@ -361,6 +361,10 @@ class Note < ApplicationRecord
end end
def to_ability_name def to_ability_name
model_name.singular
end
def noteable_ability_name
for_snippet? ? noteable.class.name.underscore : noteable_type.demodulize.underscore for_snippet? ? noteable.class.name.underscore : noteable_type.demodulize.underscore
end end
......
...@@ -1265,6 +1265,10 @@ class Project < ApplicationRecord ...@@ -1265,6 +1265,10 @@ class Project < ApplicationRecord
end end
end end
def to_ability_name
model_name.singular
end
# rubocop: disable CodeReuse/ServiceClass # rubocop: disable CodeReuse/ServiceClass
def execute_hooks(data, hooks_scope = :push_hooks) def execute_hooks(data, hooks_scope = :push_hooks)
run_after_commit_or_now do run_after_commit_or_now do
......
...@@ -9,7 +9,7 @@ class NotePolicy < BasePolicy ...@@ -9,7 +9,7 @@ class NotePolicy < BasePolicy
condition(:editable, scope: :subject) { @subject.editable? } condition(:editable, scope: :subject) { @subject.editable? }
condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
condition(:is_visible) { @subject.visible_for?(@user) } condition(:is_visible) { @subject.visible_for?(@user) }
......
...@@ -281,7 +281,7 @@ class NotificationService ...@@ -281,7 +281,7 @@ class NotificationService
end end
def send_new_note_notifications(note) def send_new_note_notifications(note)
notify_method = "note_#{note.to_ability_name}_email".to_sym notify_method = "note_#{note.noteable_ability_name}_email".to_sym
recipients = NotificationRecipientService.build_new_note_recipients(note) recipients = NotificationRecipientService.build_new_note_recipients(note)
recipients.each do |recipient| recipients.each do |recipient|
......
...@@ -227,6 +227,14 @@ describe Milestone do ...@@ -227,6 +227,14 @@ describe Milestone do
end end
end end
describe '#to_ability_name' do
it 'returns milestone' do
milestone = build(:milestone)
expect(milestone.to_ability_name).to eq('milestone')
end
end
describe '.search' do describe '.search' do
let(:milestone) { create(:milestone, title: 'foo', description: 'bar') } let(:milestone) { create(:milestone, title: 'foo', description: 'bar') }
......
...@@ -578,24 +578,30 @@ describe Note do ...@@ -578,24 +578,30 @@ describe Note do
end end
describe '#to_ability_name' do describe '#to_ability_name' do
it 'returns snippet for a project snippet note' do it 'returns note' do
expect(build(:note_on_project_snippet).to_ability_name).to eq('project_snippet') expect(build(:note).to_ability_name).to eq('note')
end
end
describe '#noteable_ability_name' do
it 'returns project_snippet for a project snippet note' do
expect(build(:note_on_project_snippet).noteable_ability_name).to eq('project_snippet')
end end
it 'returns personal_snippet for a personal snippet note' do it 'returns personal_snippet for a personal snippet note' do
expect(build(:note_on_personal_snippet).to_ability_name).to eq('personal_snippet') expect(build(:note_on_personal_snippet).noteable_ability_name).to eq('personal_snippet')
end end
it 'returns merge_request for an MR note' do it 'returns merge_request for an MR note' do
expect(build(:note_on_merge_request).to_ability_name).to eq('merge_request') expect(build(:note_on_merge_request).noteable_ability_name).to eq('merge_request')
end end
it 'returns issue for an issue note' do it 'returns issue for an issue note' do
expect(build(:note_on_issue).to_ability_name).to eq('issue') expect(build(:note_on_issue).noteable_ability_name).to eq('issue')
end end
it 'returns issue for a commit note' do it 'returns commit for a commit note' do
expect(build(:note_on_commit).to_ability_name).to eq('commit') expect(build(:note_on_commit).noteable_ability_name).to eq('commit')
end end
end end
......
...@@ -4444,6 +4444,14 @@ describe Project do ...@@ -4444,6 +4444,14 @@ describe Project do
end end
end end
describe '#to_ability_name' do
it 'returns project' do
project = build(:project_empty_repo)
expect(project.to_ability_name).to eq('project')
end
end
describe '#execute_hooks' do describe '#execute_hooks' do
let(:data) { { ref: 'refs/heads/master', data: 'data' } } let(:data) { { ref: 'refs/heads/master', data: 'data' } }
it 'executes active projects hooks with the specified scope' do it 'executes active projects hooks with the specified scope' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment