Merge branch 'issue_25064' into 'security'

Ensure state param has a valid value when filtering issuables. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 This fix makes sure we only call safe methods on issuable when filtering by state. See merge request !2038
author: Douwe Maan <douwe@gitlab.com> 2016-11-30 11:11:43 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2016-12-06 04:26:48 +0300
commit: 29ceb98b5162677601702704e89d845580372078 (patch)
tree: 8df439d9a22ff3cbda523148d8e40ae0fbcf47de /app/finders
parent: f0f514ac25763a5e02aac7abb8a7528a0437577f (diff)
1 files changed, 8 insertions, 5 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 001c83ccb4b..9560e9d518e 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -7,7 +7,7 @@
 #   current_user - which user use
 #   params:
 #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
-#     state: 'open' or 'closed' or 'all'
+#     state: 'opened' or 'closed' or 'all'
 #     group_id: integer
 #     project_id: integer
 #     milestone_title: string
@@ -207,10 +207,13 @@ class IssuableFinder
   end
 
   def by_state(items)
-    params[:state] ||= 'all'
-
-    if items.respond_to?(params[:state])
-      items.public_send(params[:state])
+    case params[:state].to_s
+    when 'closed'
+      items.closed
+    when 'merged'
+      items.respond_to?(:merged) ? items.merged : items.closed
+    when 'opened'
+      items.opened
     else
       items
     end
author	Douwe Maan <douwe@gitlab.com>	2016-11-30 11:11:43 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2016-12-06 04:26:48 +0300
commit	29ceb98b5162677601702704e89d845580372078 (patch)
tree	8df439d9a22ff3cbda523148d8e40ae0fbcf47de /app/finders
parent	f0f514ac25763a5e02aac7abb8a7528a0437577f (diff)