Apply reviewer comments

- remove _raw from places - Add tiny test helper method - Downcase upon storage and comparison

Apply reviewer comments
- remove _raw from places - Add tiny test helper method - Downcase upon storage and comparison
0957161c · charlie ablett · Alex Kalderimis · ab04004c · 0957161c · 0957161c
Commit 0957161c authored Feb 11, 2021 by charlie ablett Committed by Alex Kalderimis Feb 11, 2021
10 changed files
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@@ -105,6 +105,6 @@ class Projects::NotesController < Projects::ApplicationController
  end

  def rate_limit_users_allowlist
-    Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist_raw
+    Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist
  end
 end
--- a/app/graphql/mutations/notes/create/base.rb
+++ b/app/graphql/mutations/notes/create/base.rb
@@ -65,7 +65,7 @@ module Mutations

        def rate_limit_throttled?
          rate_limiter = ::Gitlab::ApplicationRateLimiter
-          allowlist = Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist_raw
+          allowlist = Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist

          rate_limiter.throttled?(:notes_create, scope: [current_user], users_allowlist: allowlist)
        end

--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -329,7 +329,7 @@ module ApplicationSettingsHelper
      :email_restrictions,
      :issues_create_limit,
      :notes_create_limit,
-      :notes_create_limit_allowlist,
+      :notes_create_limit_allowlist_raw,
      :raw_blob_request_limit,
      :project_import_limit,
      :project_export_limit,

--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -276,7 +276,7 @@ module ApplicationSettingImplementation
  end

  def notes_create_limit_allowlist_raw=(values)
-    self.notes_create_limit_allowlist = strings_to_array(values)
+    self.notes_create_limit_allowlist = strings_to_array(values).map(&:downcase)
  end

  def asset_proxy_allowlist=(values)

--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -74,7 +74,7 @@ module API
        end
        post ":id/#{noteables_str}/:noteable_id/notes", feature_category: feature_category do
          allowlist =
-            Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist_raw
+            Gitlab::CurrentSettings.current_application_settings.notes_create_limit_allowlist
          check_rate_limit! :notes_create, [current_user], allowlist
          noteable = find_noteable(noteable_type, params[:noteable_id])


--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -150,7 +150,7 @@ module Gitlab
        scoped_user = [options[:scope]].flatten.find { |s| s.is_a?(User) }
        return unless scoped_user

-        scoped_user.username.downcase.in?(options[:users_allowlist].map(&:downcase))
+        scoped_user.username.downcase.in?(options[:users_allowlist])
      end
    end
  end

--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -763,8 +763,9 @@ RSpec.describe Projects::NotesController do
        4.times { create! }
      end

-      it 'allows user in allow-list to create notes' do
-        stub_application_setting(notes_create_limit_allowlist_raw: ["#{user.username}"])
+      it 'allows user in allow-list to create notes, even if the case is different' do
+        user.update_attribute(:username, user.username.titleize)
+        stub_application_setting(notes_create_limit_allowlist: ["#{user.username.downcase}"])
        3.times { create! }

        create!

--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -120,8 +120,12 @@ RSpec.describe ApplicationSetting do
    it { is_expected.not_to allow_value(5.5).for(:notes_create_limit) }
    it { is_expected.not_to allow_value(-2).for(:notes_create_limit) }

-    it { is_expected.to allow_value(['username'] * 100).for(:notes_create_limit_allowlist) }
-    it { is_expected.not_to allow_value(['username'] * 101).for(:notes_create_limit_allowlist) }
+    def many_usernames(num = 100)
+      Array.new(num) { |i| "username#{i}" }
+    end
+
+    it { is_expected.to allow_value(many_usernames(100)).for(:notes_create_limit_allowlist) }
+    it { is_expected.not_to allow_value(many_usernames(101)).for(:notes_create_limit_allowlist) }
    it { is_expected.not_to allow_value(nil).for(:notes_create_limit_allowlist) }
    it { is_expected.to allow_value([]).for(:notes_create_limit_allowlist) }


--- a/spec/support/shared_examples/graphql/notes_creation_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/notes_creation_shared_examples.rb
@@ -77,7 +77,7 @@ RSpec.shared_examples 'a Note mutation when there are rate limit validation erro

  context 'when the user is in the allowlist' do
    before do
-      stub_application_setting(notes_create_limit_allowlist_raw: ["#{current_user.username}"])
+      stub_application_setting(notes_create_limit_allowlist: ["#{current_user.username}"])
    end

    it_behaves_like 'a Note mutation that creates a Note'

--- a/spec/support/shared_examples/requests/api/notes_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/notes_shared_examples.rb
@@ -295,7 +295,7 @@ RSpec.shared_examples 'noteable API' do |parent_type, noteable_type, id_name|
      end

      it 'allows user in allow-list to create notes' do
-        stub_application_setting(notes_create_limit_allowlist_raw: ["#{user.username}"])
+        stub_application_setting(notes_create_limit_allowlist: ["#{user.username}"])
        subject

        expect(response).to have_gitlab_http_status(:created)