diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 19:47:02 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 19:47:02 +0300 |
commit | d00f14d73f41129f9d986d4bec32f1f927b525a6 (patch) | |
tree | 93a8f2296ead9161cd71899e4f410e929ae33fb4 /app | |
parent | 1b6a590b197788a06a1ff726ea61630a49b10412 (diff) |
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/feature_flags_controller.rb | 6 | ||||
-rw-r--r-- | app/models/operations/feature_flags/user_list.rb | 5 | ||||
-rw-r--r-- | app/services/feature_flags/update_service.rb | 11 |
3 files changed, 19 insertions, 3 deletions
diff --git a/app/controllers/projects/feature_flags_controller.rb b/app/controllers/projects/feature_flags_controller.rb index e9d450a6ce3..9142f769b28 100644 --- a/app/controllers/projects/feature_flags_controller.rb +++ b/app/controllers/projects/feature_flags_controller.rb @@ -77,7 +77,7 @@ class Projects::FeatureFlagsController < Projects::ApplicationController end else respond_to do |format| - format.json { render_error_json(result[:message]) } + format.json { render_error_json(result[:message], result[:http_status]) } end end end @@ -167,8 +167,8 @@ class Projects::FeatureFlagsController < Projects::ApplicationController render json: feature_flag_json(feature_flag), status: :ok end - def render_error_json(messages) + def render_error_json(messages, status = :bad_request) render json: { message: messages }, - status: :bad_request + status: status end end diff --git a/app/models/operations/feature_flags/user_list.rb b/app/models/operations/feature_flags/user_list.rb index 3e492eaa892..ec109bde0eb 100644 --- a/app/models/operations/feature_flags/user_list.rb +++ b/app/models/operations/feature_flags/user_list.rb @@ -28,6 +28,11 @@ module Operations fuzzy_search(query, [:name], use_minimum_char_limit: false) end + def self.belongs_to?(project_id, user_list_ids) + uniq_ids = user_list_ids.uniq + where(id: uniq_ids, project_id: project_id).count == uniq_ids.count + end + private def ensure_no_associated_strategies diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb index ed5e2e794b4..d956d4b3357 100644 --- a/app/services/feature_flags/update_service.rb +++ b/app/services/feature_flags/update_service.rb @@ -10,6 +10,7 @@ module FeatureFlags def execute(feature_flag) return error('Access Denied', 403) unless can_update?(feature_flag) + return error('Not Found', 404) unless valid_user_list_ids?(feature_flag, user_list_ids(params)) ActiveRecord::Base.transaction do feature_flag.assign_attributes(params) @@ -87,5 +88,15 @@ module FeatureFlags def can_update?(feature_flag) Ability.allowed?(current_user, :update_feature_flag, feature_flag) end + + def user_list_ids(params) + params.fetch(:strategies_attributes, []) + .select { |s| s[:user_list_id].present? } + .map { |s| s[:user_list_id] } + end + + def valid_user_list_ids?(feature_flag, user_list_ids) + user_list_ids.empty? || ::Operations::FeatureFlags::UserList.belongs_to?(feature_flag.project_id, user_list_ids) + end end end |