From 7381944565701f2a8db5d58d5bc3c7e52e7f60bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jarka=20Kadlecova=CC=81?= <jarka@gitlab.com>
Date: Wed, 31 Jan 2018 15:59:59 +0100
Subject: Support search in API

---
 lib/api/v3/projects.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api/v3')

diff --git a/lib/api/v3/projects.rb b/lib/api/v3/projects.rb
index c856ba99f09..7d8b1f369fe 100644
--- a/lib/api/v3/projects.rb
+++ b/lib/api/v3/projects.rb
@@ -174,7 +174,7 @@ module API
           use :pagination
         end
         get "/search/:query", requirements: { query: %r{[^/]+} } do
-          search_service = Search::GlobalService.new(current_user, search: params[:query]).execute
+          search_service = ::Search::GlobalService.new(current_user, search: params[:query]).execute
           projects = search_service.objects('projects', params[:page], false)
           projects = projects.reorder(params[:order_by] => params[:sort])
 
-- 
cgit v1.2.1


From fec9fb05a5775b864ef6768df166d39fcb2be4bc Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Thu, 18 Jan 2018 23:10:19 +0000
Subject: Merge branch 'security-10-4-todo-api-reveals-sensitive-information'
 into 'security-10-4'

Restrict Todo API mark_as_done endpoint to the user's todos only
---
 lib/api/v3/todos.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api/v3')

diff --git a/lib/api/v3/todos.rb b/lib/api/v3/todos.rb
index 2f2cf259987..3e2c61f6dbd 100644
--- a/lib/api/v3/todos.rb
+++ b/lib/api/v3/todos.rb
@@ -12,7 +12,7 @@ module API
         end
         delete ':id' do
           TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-          todo = Todo.find(params[:id])
+          todo = current_user.todos.find(params[:id])
 
           present todo, with: ::API::Entities::Todo, current_user: current_user
         end
-- 
cgit v1.2.1