diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-18 00:09:16 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-18 00:09:16 +0300 |
| commit | 154b9bae142ba15fec753f44327654595094b879 (patch) | |
| tree | 027f8ae024961778d5b00c77a72fe302f985d4f3 /app/services/search_service.rb | |
| parent | 2c156e3c7bbade01c36eee18327f1ced6eebea79 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/services/search_service.rb')
| -rw-r--r-- | app/services/search_service.rb | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/app/services/search_service.rb b/app/services/search_service.rb index fe5e823b56c..75cd6c78a52 100644 --- a/app/services/search_service.rb +++ b/app/services/search_service.rb @@ -3,6 +3,11 @@ class SearchService include Gitlab::Allowable + REDACTABLE_RESULTS = [ + ActiveRecord::Relation, + Gitlab::Search::FoundBlob + ].freeze + SEARCH_TERM_LIMIT = 64 SEARCH_CHAR_LIMIT = 4096 @@ -60,11 +65,52 @@ class SearchService end def search_objects - @search_objects ||= search_results.objects(scope, params[:page]) + @search_objects ||= redact_unauthorized_results(search_results.objects(scope, params[:page])) + end + + def redactable_results + REDACTABLE_RESULTS end private + def visible_result?(object) + return true unless object.respond_to?(:to_ability_name) && DeclarativePolicy.has_policy?(object) + + Ability.allowed?(current_user, :"read_#{object.to_ability_name}", object) + end + + def redact_unauthorized_results(results) + return results unless redactable_results.any? { |redactable| results.is_a?(redactable) } + + permitted_results = results.select do |object| + visible_result?(object) + end + + filtered_results = (results - permitted_results).each_with_object({}) do |object, memo| + memo[object.id] = { ability: :"read_#{object.to_ability_name}", id: object.id, class_name: object.class.name } + end + + log_redacted_search_results(filtered_results.values) if filtered_results.any? + + return results.id_not_in(filtered_results.keys) if results.is_a?(ActiveRecord::Relation) + + Kaminari.paginate_array( + permitted_results, + total_count: results.total_count, + limit: results.limit_value, + offset: results.offset_value + ) + end + + def log_redacted_search_results(filtered_results) + logger.error(message: "redacted_search_results", filtered: filtered_results, current_user_id: current_user&.id, query: params[:search]) + end + + def logger + @logger ||= ::Gitlab::RedactedSearchResultsLogger.build + end + def search_service @search_service ||= if project |