diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-07 20:09:00 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-17 20:47:53 +0300 |
| commit | 28acd2b087d5b80cd89354d58f937aed0f4928cb (patch) | |
| tree | 0eda3c8ee7be722d51a390c750f1fd39dd88276b /app/finders/events_finder.rb | |
| parent | 75262862c434a98b9183a4a63f3ad86dec52b079 (diff) | |
Hide confidential events in ruby
We're filtering the events using `Event#visible_to_user?`.
At most we're loading 100 events at once.
Pagination is also dealt with in the finder, but the resulting array
is wrapped in a `Kaminari.paginate_array` so the API's pagination
helpers keep working. We're passing the total count into that
paginatable array, which would include confidential events. But we're
not disclosing anything.
Diffstat (limited to 'app/finders/events_finder.rb')
| -rw-r--r-- | app/finders/events_finder.rb | 45 |
1 files changed, 40 insertions, 5 deletions
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb index 8df01f1dad9..234b7090fd9 100644 --- a/app/finders/events_finder.rb +++ b/app/finders/events_finder.rb @@ -3,22 +3,27 @@ class EventsFinder prepend FinderMethods prepend FinderWithCrossProjectAccess + + MAX_PER_PAGE = 100 + attr_reader :source, :params, :current_user - requires_cross_project_access unless: -> { source.is_a?(Project) } + requires_cross_project_access unless: -> { source.is_a?(Project) }, model: Event # Used to filter Events # # Arguments: # source - which user or project to looks for events on # current_user - only return events for projects visible to this user - # WARNING: does not consider project feature visibility! # params: # action: string # target_type: string # before: datetime # after: datetime - # + # per_page: integer (max. 100) + # page: integer + # with_associations: boolean + # sort: 'asc' or 'desc' def initialize(params = {}) @source = params.delete(:source) @current_user = params.delete(:current_user) @@ -33,15 +38,18 @@ class EventsFinder events = by_target_type(events) events = by_created_at_before(events) events = by_created_at_after(events) + events = sort(events) + + events = events.with_associations if params[:with_associations] - events + paginated_filtered_by_user_visibility(events) end private # rubocop: disable CodeReuse/ActiveRecord def by_current_user_access(events) - events.merge(ProjectsFinder.new(current_user: current_user).execute) # rubocop: disable CodeReuse/Finder + events.merge(Project.public_or_visible_to_user(current_user)) .joins(:project) end # rubocop: enable CodeReuse/ActiveRecord @@ -77,4 +85,31 @@ class EventsFinder events.where('events.created_at > ?', params[:after].end_of_day) end # rubocop: enable CodeReuse/ActiveRecord + + def sort(events) + return events unless params[:sort] + + if params[:sort] == 'asc' + events.order_id_asc + else + events.order_id_desc + end + end + + def paginated_filtered_by_user_visibility(events) + limited_events = events.page(page).per(per_page) + visible_events = limited_events.select { |event| event.visible_to_user?(current_user) } + + Kaminari.paginate_array(visible_events, total_count: events.count) + end + + def per_page + return MAX_PER_PAGE unless params[:per_page] + + [params[:per_page], MAX_PER_PAGE].min + end + + def page + params[:page] || 1 + end end |