diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-10-26 17:34:06 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-11-09 12:24:13 +0100 |
commit | 79d94b167999544086db235602a9213a2d37831e (patch) | |
tree | 624e3a4f8834f6d962d555686405c12e15d7ebeb /app/finders | |
parent | b77969ea39cc6425dcdab35d4239346ce9940279 (diff) | |
download | gitlab-ce-79d94b167999544086db235602a9213a2d37831e.tar.gz |
Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders
This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481
See merge request !2000
Diffstat (limited to 'app/finders')
-rw-r--r-- | app/finders/issuable_finder.rb | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb index cc2073081b5..6297b2db369 100644 --- a/app/finders/issuable_finder.rb +++ b/app/finders/issuable_finder.rb @@ -61,31 +61,26 @@ class IssuableFinder def project return @project if defined?(@project) - if project? - @project = Project.find(params[:project_id]) + project = Project.find(params[:project_id]) + project = nil unless Ability.allowed?(current_user, :"read_#{klass.to_ability_name}", project) - unless Ability.allowed?(current_user, :read_project, @project) - @project = nil - end - else - @project = nil - end - - @project + @project = project end def projects return @projects if defined?(@projects) + return @projects = project if project? - if project? - @projects = project - elsif current_user && params[:authorized_only].presence && !current_user_related? - @projects = current_user.authorized_projects.reorder(nil) - elsif group - @projects = GroupProjectsFinder.new(group).execute(current_user).reorder(nil) - else - @projects = ProjectsFinder.new.execute(current_user).reorder(nil) - end + projects = + if current_user && params[:authorized_only].presence && !current_user_related? + current_user.authorized_projects + elsif group + GroupProjectsFinder.new(group).execute(current_user) + else + ProjectsFinder.new.execute(current_user) + end + + @projects = projects.with_feature_available_for_user(klass, current_user).reorder(nil) end def search |