Commit 83ece312 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Refactor whitelisting of filter params

parent 048db426
...@@ -81,38 +81,33 @@ module IssuableCollections ...@@ -81,38 +81,33 @@ module IssuableCollections
end end
def issuable_finder_for(finder_class) def issuable_finder_for(finder_class)
finder_class.new(current_user, filter_params) finder_class.new(current_user, finder_options)
end end
# rubocop:disable Gitlab/ModuleWithInstanceVariables # rubocop:disable Gitlab/ModuleWithInstanceVariables
# rubocop: disable CodeReuse/ActiveRecord def finder_options
def filter_params options = {
set_sort_order_from_cookie scope: params[:scope],
set_default_state state: params[:state].presence || 'opened',
sort: set_sort_order_from_cookie || default_sort_order
# Skip irrelevant Rails routing params }
@filter_params = params.dup.except(:controller, :action, :namespace_id)
@filter_params[:sort] ||= default_sort_order
@sort = @filter_params[:sort] # Used by view to highlight active option
params[:state] = options[:state]
@sort = options[:sort]
if @project if @project
@filter_params[:project_id] = @project.id options[:project_id] = @project.id
elsif @group elsif @group
@filter_params[:group_id] = @group.id options[:group_id] = @group.id
@filter_params[:include_subgroups] = true options[:include_subgroups] = true
@filter_params[:use_cte_for_search] = true options[:use_cte_for_search] = true
end end
@filter_params.permit(finder_type.valid_params) params.permit(finder_type.valid_params).merge(options)
end end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop:enable Gitlab/ModuleWithInstanceVariables # rubocop:enable Gitlab/ModuleWithInstanceVariables
def set_default_state
params[:state] = 'opened' if params[:state].blank?
end
def set_sort_order_from_cookie def set_sort_order_from_cookie
sort_param = params[:sort] if params[:sort].present? sort_param = params[:sort] if params[:sort].present?
# fallback to legacy cookie value for backward compatibility # fallback to legacy cookie value for backward compatibility
...@@ -121,7 +116,7 @@ module IssuableCollections ...@@ -121,7 +116,7 @@ module IssuableCollections
sort_value = update_cookie_value(sort_param) sort_value = update_cookie_value(sort_param)
set_secure_cookie(remember_sorting_key, sort_value) set_secure_cookie(remember_sorting_key, sort_value)
params[:sort] = sort_value sort_value
end end
def remember_sorting_key def remember_sorting_key
......
...@@ -19,7 +19,7 @@ module MergeRequestsAction ...@@ -19,7 +19,7 @@ module MergeRequestsAction
(MergeRequestsFinder if action_name == 'merge_requests') (MergeRequestsFinder if action_name == 'merge_requests')
end end
def filter_params def finder_options
super.merge(non_archived: true) super.merge(non_archived: true)
end end
end end
...@@ -4,18 +4,6 @@ class DashboardController < Dashboard::ApplicationController ...@@ -4,18 +4,6 @@ class DashboardController < Dashboard::ApplicationController
include IssuesAction include IssuesAction
include MergeRequestsAction include MergeRequestsAction
FILTER_PARAMS = [
# author_id and assignee_id are kept so old RSS links still work
:author_id,
:assignee_id,
:author_username,
:assignee_username,
:milestone_title,
:weight,
:label_name,
:my_reaction_emoji
].freeze
before_action :event_filter, only: :activity before_action :event_filter, only: :activity
before_action :projects, only: [:issues, :merge_requests] before_action :projects, only: [:issues, :merge_requests]
before_action :set_show_full_reference, only: [:issues, :merge_requests] before_action :set_show_full_reference, only: [:issues, :merge_requests]
...@@ -56,10 +44,13 @@ class DashboardController < Dashboard::ApplicationController ...@@ -56,10 +44,13 @@ class DashboardController < Dashboard::ApplicationController
end end
def check_filters_presence! def check_filters_presence!
@no_filters_set = FILTER_PARAMS.none? { |k| params.key?(k) } @no_filters_set = finder_type.scalar_params.none? { |k| params.key?(k) }
return unless @no_filters_set return unless @no_filters_set
# Call to set selected `state` and `sort` options in view
finder_options
respond_to do |format| respond_to do |format|
format.html { render } format.html { render }
format.atom { head :bad_request } format.atom { head :bad_request }
......
...@@ -14,7 +14,9 @@ ...@@ -14,7 +14,9 @@
# project_id: integer # project_id: integer
# milestone_title: string # milestone_title: string
# author_id: integer # author_id: integer
# author_username: string
# assignee_id: integer or 'None' or 'Any' # assignee_id: integer or 'None' or 'Any'
# assignee_username: string
# search: string # search: string
# label_name: string # label_name: string
# sort: string # sort: string
...@@ -49,25 +51,15 @@ class IssuableFinder ...@@ -49,25 +51,15 @@ class IssuableFinder
assignee_username assignee_username
author_id author_id
author_username author_username
authorized_only
group_id
iids
label_name label_name
milestone_title milestone_title
my_reaction_emoji my_reaction_emoji
non_archived
project_id
scope
search search
sort
state
include_subgroups
use_cte_for_search
] ]
end end
def self.array_params def self.array_params
@array_params ||= { label_name: [], iids: [], assignee_username: [] } @array_params ||= { label_name: [], assignee_username: [] }
end end
def self.valid_params def self.valid_params
......
...@@ -178,11 +178,7 @@ module ApplicationHelper ...@@ -178,11 +178,7 @@ module ApplicationHelper
without = options.delete(:without) without = options.delete(:without)
add_label = options.delete(:label) add_label = options.delete(:label)
exist_opts = filter_bar_params.merge( options = request.query_parameters.merge(options)
params.slice(:state, :scope)
)
options = exist_opts.merge(options)
if without.present? if without.present?
without.each do |key| without.each do |key|
...@@ -197,19 +193,6 @@ module ApplicationHelper ...@@ -197,19 +193,6 @@ module ApplicationHelper
"#{request.path}?#{params.to_param}" "#{request.path}?#{params.to_param}"
end end
def filter_bar_params
params.slice(
:assignee_id,
:assignee_username,
:author_username,
:label_name,
:milestone_title,
:my_reaction_emoji,
:wip,
:search
)
end
def outdated_browser? def outdated_browser?
browser.ie? && browser.version.to_i < 10 browser.ie? && browser.version.to_i < 10
end end
......
...@@ -87,11 +87,6 @@ module EE ...@@ -87,11 +87,6 @@ module EE
::Gitlab::CurrentSettings.instance_review_permitted? && current_user&.admin? ::Gitlab::CurrentSettings.instance_review_permitted? && current_user&.admin?
end end
override :filter_bar_params
def filter_bar_params
super.merge(params.slice(:weight))
end
private private
def appearance def appearance
......
...@@ -60,7 +60,7 @@ describe IssuableCollections do ...@@ -60,7 +60,7 @@ describe IssuableCollections do
end end
end end
describe '#filter_params' do describe '#finder_options' do
let(:params) do let(:params) do
{ {
assignee_id: '1', assignee_id: '1',
...@@ -84,25 +84,20 @@ describe IssuableCollections do ...@@ -84,25 +84,20 @@ describe IssuableCollections do
} }
end end
it 'filters params' do it 'only allows whitelisted params' do
allow(controller).to receive(:cookies).and_return({}) allow(controller).to receive(:cookies).and_return({})
filtered_params = controller.send(:filter_params) finder_options = controller.send(:finder_options)
expect(filtered_params).to eq({ expect(finder_options).to eq({
'assignee_id' => '1', 'assignee_id' => '1',
'assignee_username' => 'user1', 'assignee_username' => 'user1',
'author_id' => '2', 'author_id' => '2',
'author_username' => 'user2', 'author_username' => 'user2',
'authorized_only' => 'true',
'due_date' => '2017-01-01',
'group_id' => '3',
'iids' => '4',
'label_name' => 'foo', 'label_name' => 'foo',
'milestone_title' => 'bar', 'milestone_title' => 'bar',
'my_reaction_emoji' => 'thumbsup', 'my_reaction_emoji' => 'thumbsup',
'non_archived' => 'true', 'due_date' => '2017-01-01',
'project_id' => '5',
'scope' => 'all', 'scope' => 'all',
'search' => 'baz', 'search' => 'baz',
'sort' => 'priority', 'sort' => 'priority',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment