diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 20:46:12 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 20:46:12 +0300 |
| commit | d26bf613b45066b3d2c78ef539cffc109cc39064 (patch) | |
| tree | cd7b93bf0d984e9ed895066a2681b126de676fd7 /app | |
| parent | b82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1 (diff) | |
| parent | 9ba554c8a053c5c9ad52a4e38956c4b9a6f140f7 (diff) | |
Merge branch 'security-fix-leaking-private-project-namespace' into 'master'
[master] Fix leaking private project namespace
Closes #2708
See merge request gitlab/gitlabhq!2529
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/note.rb | 27 | ||||
| -rw-r--r-- | app/models/system_note_metadata.rb | 5 |
2 files changed, 20 insertions, 12 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index bea02d69b65..1b595ef60b4 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -38,10 +38,12 @@ class Note < ActiveRecord::Base alias_attribute :last_edited_at, :updated_at alias_attribute :last_edited_by, :updated_by - # Attribute containing rendered and redacted Markdown as generated by - # Banzai::ObjectRenderer. + # Number of user visible references as generated by Banzai::ObjectRenderer attr_accessor :redacted_note_html + # Total of all references as generated by Banzai::ObjectRenderer + attr_accessor :total_reference_count + # An Array containing the number of visible references as generated by # Banzai::ObjectRenderer attr_accessor :user_visible_reference_count @@ -288,15 +290,7 @@ class Note < ActiveRecord::Base end def cross_reference_not_visible_for?(user) - cross_reference? && !has_referenced_mentionables?(user) - end - - def has_referenced_mentionables?(user) - if user_visible_reference_count.present? - user_visible_reference_count > 0 - else - referenced_mentionables(user).any? - end + cross_reference? && !all_referenced_mentionables_allowed?(user) end def award_emoji? @@ -466,9 +460,18 @@ class Note < ActiveRecord::Base self.discussion_id ||= discussion_class.discussion_id(self) end + def all_referenced_mentionables_allowed?(user) + if user_visible_reference_count.present? && total_reference_count.present? + # if they are not equal, then there are private/confidential references as well + user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count + else + referenced_mentionables(user).any? + end + end + def force_cross_reference_regex_check? return unless system? - SystemNoteMetadata::TYPES_WITH_CROSS_REFERENCES.include?(system_note_metadata&.action) + system_note_metadata&.cross_reference_types&.include?(system_note_metadata&.action) end end diff --git a/app/models/system_note_metadata.rb b/app/models/system_note_metadata.rb index 6fadbcefa53..d555ebe5322 100644 --- a/app/models/system_note_metadata.rb +++ b/app/models/system_note_metadata.rb @@ -9,6 +9,7 @@ class SystemNoteMetadata < ActiveRecord::Base TYPES_WITH_CROSS_REFERENCES = %w[ commit cross_reference close duplicate + moved ].freeze ICON_TYPES = %w[ @@ -26,4 +27,8 @@ class SystemNoteMetadata < ActiveRecord::Base def icon_types ICON_TYPES end + + def cross_reference_types + TYPES_WITH_CROSS_REFERENCES + end end |