diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 01:59:38 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 01:59:38 +0300 |
commit | 734bfe3a2e8b86c3e049f6f13d380b3d30e4e359 (patch) | |
tree | a0599c2a6efd4466ba7f48471def5791d2682e53 /app/models | |
parent | 27e1dab1ed98c46c91b85e8c5dd1cefd62c0cb96 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-6-stable-ee
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/concerns/time_trackable.rb | 8 | ||||
-rw-r--r-- | app/models/timelog.rb | 12 |
2 files changed, 19 insertions, 1 deletions
diff --git a/app/models/concerns/time_trackable.rb b/app/models/concerns/time_trackable.rb index 0f361e70a91..70bc45b382a 100644 --- a/app/models/concerns/time_trackable.rb +++ b/app/models/concerns/time_trackable.rb @@ -45,7 +45,13 @@ module TimeTrackable # rubocop:enable Gitlab/ModuleWithInstanceVariables def total_time_spent - timelogs.sum(:time_spent) + sum = timelogs.sum(:time_spent) + + # A new restriction has been introduced to limit total time spent to - + # Timelog::MAX_TOTAL_TIME_SPENT or 3.154e+7 seconds (approximately a year, a generous limit) + # Since there could be existing records that breach the limit, check and return the maximum/minimum allowed value. + # (some issuable might have total time spent that's negative because a validation was missing.) + sum.clamp(-Timelog::MAX_TOTAL_TIME_SPENT, Timelog::MAX_TOTAL_TIME_SPENT) end def human_total_time_spent diff --git a/app/models/timelog.rb b/app/models/timelog.rb index b6b4decc64b..eb088b1f582 100644 --- a/app/models/timelog.rb +++ b/app/models/timelog.rb @@ -1,6 +1,10 @@ # frozen_string_literal: true class Timelog < ApplicationRecord + # Gitlab::TimeTrackingFormatter.parse("1y") == 31557600 seconds + # 31557600 slightly deviates from (365 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute) + MAX_TOTAL_TIME_SPENT = 31557600.seconds.to_i # a year + include Importable include IgnorableColumns include Sortable @@ -12,6 +16,7 @@ class Timelog < ApplicationRecord validates :time_spent, :user, presence: true validates :summary, length: { maximum: 255 } validate :issuable_id_is_present, unless: :importing? + validate :check_total_time_spent_is_within_range, on: :create, unless: :importing?, if: :time_spent belongs_to :issue, touch: true belongs_to :merge_request, touch: true @@ -58,6 +63,13 @@ class Timelog < ApplicationRecord private + def check_total_time_spent_is_within_range + total_time_spent = issuable.timelogs.sum(:time_spent) + time_spent + + errors.add(:base, _("Total time spent cannot be negative.")) if total_time_spent < 0 + errors.add(:base, _("Total time spent cannot exceed a year.")) if total_time_spent > MAX_TOTAL_TIME_SPENT + end + def issuable_id_is_present if issue_id && merge_request_id errors.add(:base, _('Only Issue ID or merge request ID is required')) |