diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:59 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:59 +0300 |
| commit | 26540c9180f5e4f9317dae1bf8bc1b6be2f7f490 (patch) | |
| tree | 9f1cb5f07cd2a0e1e80341c0f5bf2ef96f9725ba /app | |
| parent | 5f9de1e04140d0a556cd2164ff644ca5fe5c02d2 (diff) | |
| parent | 2533dea98f292882b404625fe1bbf91235cd13b1 (diff) | |
Merge branch 'security-33712-ce-12-5' into '12-5-stable'
Fix private comment Elasticsearch leak
See merge request gitlab/gitlabhq!3546
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/project.rb | 6 | ||||
| -rw-r--r-- | app/models/project_feature.rb | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index f4aa336fbcd..7ae4e2a4cd7 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -517,7 +517,11 @@ class Project < ApplicationRecord # This scope returns projects where user has access to both the project and the feature. def self.filter_by_feature_visibility(feature, user) - with_feature_available_for_user(feature, user).public_or_visible_to_user(user) + with_feature_available_for_user(feature, user) + .public_or_visible_to_user( + user, + ProjectFeature.required_minimum_access_level_for_private_project(feature) + ) end scope :active, -> { joins(:issues, :notes, :merge_requests).order('issues.created_at, notes.created_at, merge_requests.created_at DESC') } diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index 2013f620b5b..caa65d32c86 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -24,6 +24,7 @@ class ProjectFeature < ApplicationRecord FEATURES = %i(issues merge_requests wiki snippets builds repository pages).freeze PRIVATE_FEATURES_MIN_ACCESS_LEVEL = { merge_requests: Gitlab::Access::REPORTER }.freeze + PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT = { repository: Gitlab::Access::REPORTER }.freeze STRING_OPTIONS = HashWithIndifferentAccess.new({ 'disabled' => DISABLED, 'private' => PRIVATE, @@ -51,6 +52,15 @@ class ProjectFeature < ApplicationRecord PRIVATE_FEATURES_MIN_ACCESS_LEVEL.fetch(feature, Gitlab::Access::GUEST) end + # Guest users can perform certain features on public and internal projects, but not private projects. + def required_minimum_access_level_for_private_project(feature) + feature = ensure_feature!(feature) + + PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT.fetch(feature) do + required_minimum_access_level(feature) + end + end + def access_level_from_str(level) STRING_OPTIONS.fetch(level) end |