Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4'

[Port for security-10-4]: Makes SnippetFinder ensure feature visibility

1 files changed, 46 insertions, 21 deletions

diff --git a/app/finders/snippets_finder.rb b/app/finders/snippets_finder.rb
index 4450766485f..33359fa1efb 100644
--- a/app/finders/snippets_finder.rb
+++ b/app/finders/snippets_finder.rb
@@ -1,14 +1,28 @@
+# Snippets Finder
+#
+# Used to filter Snippets collections by a set of params
+#
+# Arguments.
+#
+# current_user - The current user, nil also can be used.
+# params:
+#   visibility (integer) - Individual snippet visibility: Public(20), internal(10) or private(0).
+#   project (Project) - Project related.
+#   author (User) - Author related.
+#
+# params are optional
 class SnippetsFinder < UnionFinder
-  attr_accessor :current_user, :params
+  include Gitlab::Allowable
+  attr_accessor :current_user, :params, :project
 
   def initialize(current_user, params = {})
     @current_user = current_user
     @params = params
+    @project = params[:project]
   end
 
   def execute
     items = init_collection
-    items = by_project(items)
     items = by_author(items)
     items = by_visibility(items)
 
@@ -18,25 +32,42 @@ class SnippetsFinder < UnionFinder
   private
 
   def init_collection
-    items = Snippet.all
+    if project.present?
+      authorized_snippets_from_project
+    else
+      authorized_snippets
+    end
+  end
 
-    accessible(items)
+  def authorized_snippets_from_project
+    if can?(current_user, :read_project_snippet, project)
+      if project.team.member?(current_user)
+        project.snippets
+      else
+        project.snippets.public_to_user(current_user)
+      end
+    else
+      Snippet.none
+    end
   end
 
-  def accessible(items)
-    segments = []
-    segments << items.public_to_user(current_user)
-    segments << authorized_to_user(items)  if current_user
+  def authorized_snippets
+    Snippet.where(feature_available_projects.or(not_project_related)).public_or_visible_to_user(current_user)
+  end
 
-    find_union(segments, Snippet.includes(:author))
+  def feature_available_projects
+    projects = Project.public_or_visible_to_user(current_user)
+      .with_feature_available_for_user(:snippets, current_user).select(:id)
+    arel_query = Arel::Nodes::SqlLiteral.new(projects.to_sql)
+    table[:project_id].in(arel_query)
   end
 
-  def authorized_to_user(items)
-    items.where(
-      'author_id = :author_id
-       OR project_id IN (:project_ids)',
-       author_id: current_user.id,
-       project_ids: current_user.authorized_projects.select(:id))
+  def not_project_related
+    table[:project_id].eq(nil)
+  end
+
+  def table
+    Snippet.arel_table
   end
 
   def by_visibility(items)
@@ -53,12 +84,6 @@ class SnippetsFinder < UnionFinder
     items.where(author_id: params[:author].id)
   end
 
-  def by_project(items)
-    return items unless params[:project]
-
-    items.where(project_id: params[:project].id)
-  end
-
   def visibility_from_scope
     case params[:scope].to_s
     when 'are_private'