diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 12:22:56 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 12:22:56 +0300 |
commit | d2d66de7163c42532c5a1c3cddebb144658c5242 (patch) | |
tree | 5c80bff8c43c76f3c5d1a7a24ae173f0742b5129 /app | |
parent | 7ebc422d70a4737a3b5c1b7cf9d0d6e3e47c9890 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-6-stable-eev16.6.2
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/repository/components/table/row.vue | 4 | ||||
-rw-r--r-- | app/graphql/types/issue_type.rb | 2 | ||||
-rw-r--r-- | app/graphql/types/merge_request_type.rb | 2 | ||||
-rw-r--r-- | app/models/concerns/time_trackable.rb | 8 | ||||
-rw-r--r-- | app/models/timelog.rb | 12 | ||||
-rw-r--r-- | app/services/personal_access_tokens/rotate_service.rb | 40 | ||||
-rw-r--r-- | app/services/project_access_tokens/rotate_service.rb | 58 |
7 files changed, 109 insertions, 17 deletions
diff --git a/app/assets/javascripts/repository/components/table/row.vue b/app/assets/javascripts/repository/components/table/row.vue index 6a81f11eb51..bb2b8ae54b6 100644 --- a/app/assets/javascripts/repository/components/table/row.vue +++ b/app/assets/javascripts/repository/components/table/row.vue @@ -120,13 +120,13 @@ export default { routerLinkTo() { if (this.isBlob) { return buildURLwithRefType({ - path: joinPaths('/-/blob', this.escapedRef, this.path), + path: joinPaths('/-/blob', this.escapedRef, encodeURI(this.path)), refType: this.refType, }); } if (this.isFolder) { return buildURLwithRefType({ - path: joinPaths('/-/tree', this.escapedRef, this.path), + path: joinPaths('/-/tree', this.escapedRef, encodeURI(this.path)), refType: this.refType, }); } diff --git a/app/graphql/types/issue_type.rb b/app/graphql/types/issue_type.rb index 1c8a654a841..7c7d559e05d 100644 --- a/app/graphql/types/issue_type.rb +++ b/app/graphql/types/issue_type.rb @@ -111,7 +111,7 @@ module Types field :time_estimate, GraphQL::Types::Int, null: false, description: 'Time estimate of the issue.' field :total_time_spent, GraphQL::Types::Int, null: false, - description: 'Total time reported as spent on the issue.' + description: 'Total time (in seconds) reported as spent on the issue.' field :closed_at, Types::TimeType, null: true, description: 'Timestamp of when the issue was closed.' diff --git a/app/graphql/types/merge_request_type.rb b/app/graphql/types/merge_request_type.rb index 9dca82f1750..d7c3b313f84 100644 --- a/app/graphql/types/merge_request_type.rb +++ b/app/graphql/types/merge_request_type.rb @@ -199,7 +199,7 @@ module Types field :time_estimate, GraphQL::Types::Int, null: false, description: 'Time estimate of the merge request.' field :total_time_spent, GraphQL::Types::Int, null: false, - description: 'Total time reported as spent on the merge request.' + description: 'Total time (in seconds) reported as spent on the merge request.' field :approved, GraphQL::Types::Boolean, method: :approved?, diff --git a/app/models/concerns/time_trackable.rb b/app/models/concerns/time_trackable.rb index 0f361e70a91..70bc45b382a 100644 --- a/app/models/concerns/time_trackable.rb +++ b/app/models/concerns/time_trackable.rb @@ -45,7 +45,13 @@ module TimeTrackable # rubocop:enable Gitlab/ModuleWithInstanceVariables def total_time_spent - timelogs.sum(:time_spent) + sum = timelogs.sum(:time_spent) + + # A new restriction has been introduced to limit total time spent to - + # Timelog::MAX_TOTAL_TIME_SPENT or 3.154e+7 seconds (approximately a year, a generous limit) + # Since there could be existing records that breach the limit, check and return the maximum/minimum allowed value. + # (some issuable might have total time spent that's negative because a validation was missing.) + sum.clamp(-Timelog::MAX_TOTAL_TIME_SPENT, Timelog::MAX_TOTAL_TIME_SPENT) end def human_total_time_spent diff --git a/app/models/timelog.rb b/app/models/timelog.rb index b6b4decc64b..eb088b1f582 100644 --- a/app/models/timelog.rb +++ b/app/models/timelog.rb @@ -1,6 +1,10 @@ # frozen_string_literal: true class Timelog < ApplicationRecord + # Gitlab::TimeTrackingFormatter.parse("1y") == 31557600 seconds + # 31557600 slightly deviates from (365 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute) + MAX_TOTAL_TIME_SPENT = 31557600.seconds.to_i # a year + include Importable include IgnorableColumns include Sortable @@ -12,6 +16,7 @@ class Timelog < ApplicationRecord validates :time_spent, :user, presence: true validates :summary, length: { maximum: 255 } validate :issuable_id_is_present, unless: :importing? + validate :check_total_time_spent_is_within_range, on: :create, unless: :importing?, if: :time_spent belongs_to :issue, touch: true belongs_to :merge_request, touch: true @@ -58,6 +63,13 @@ class Timelog < ApplicationRecord private + def check_total_time_spent_is_within_range + total_time_spent = issuable.timelogs.sum(:time_spent) + time_spent + + errors.add(:base, _("Total time spent cannot be negative.")) if total_time_spent < 0 + errors.add(:base, _("Total time spent cannot exceed a year.")) if total_time_spent > MAX_TOTAL_TIME_SPENT + end + def issuable_id_is_present if issue_id && merge_request_id errors.add(:base, _('Only Issue ID or merge request ID is required')) diff --git a/app/services/personal_access_tokens/rotate_service.rb b/app/services/personal_access_tokens/rotate_service.rb index 32710629caf..13144a04c11 100644 --- a/app/services/personal_access_tokens/rotate_service.rb +++ b/app/services/personal_access_tokens/rotate_service.rb @@ -10,26 +10,18 @@ module PersonalAccessTokens end def execute(params = {}) - return ServiceResponse.error(message: _('token already revoked')) if token.revoked? + return error_response(_('token already revoked')) if token.revoked? response = ServiceResponse.success PersonalAccessToken.transaction do unless token.revoke! - response = ServiceResponse.error(message: _('failed to revoke token')) + response = error_response(_('failed to revoke token')) raise ActiveRecord::Rollback end - target_user = token.user - new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) - - if new_token.persisted? - response = ServiceResponse.success(payload: { personal_access_token: new_token }) - else - response = ServiceResponse.error(message: new_token.errors.full_messages.to_sentence) - - raise ActiveRecord::Rollback - end + response = create_access_token(params) + raise ActiveRecord::Rollback unless response.success? end response @@ -47,5 +39,29 @@ module PersonalAccessTokens scopes: token.scopes, expires_at: expires_at } end + + def create_access_token(params) + target_user = token.user + + new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) + + return success_response(new_token) if new_token.persisted? + + error_response(new_token.errors.full_messages.to_sentence) + end + + def expires_at(params) + return params[:expires_at] if params[:expires_at] + + params[:expires_at] || EXPIRATION_PERIOD.from_now.to_date + end + + def success_response(new_token) + ServiceResponse.success(payload: { personal_access_token: new_token }) + end + + def error_response(message) + ServiceResponse.error(message: message) + end end end diff --git a/app/services/project_access_tokens/rotate_service.rb b/app/services/project_access_tokens/rotate_service.rb new file mode 100644 index 00000000000..63d8d2a82cc --- /dev/null +++ b/app/services/project_access_tokens/rotate_service.rb @@ -0,0 +1,58 @@ +# frozen_string_literal: true + +module ProjectAccessTokens + class RotateService < ::PersonalAccessTokens::RotateService + extend ::Gitlab::Utils::Override + + def initialize(current_user, token, resource = nil) + @current_user = current_user + @token = token + @project = resource + end + + def execute(params = {}) + super + end + + attr_reader :project + + private + + override :create_access_token + def create_access_token(params) + target_user = token.user + + unless valid_access_level? + return error_response( + _("Not eligible to rotate token with access level higher than the user") + ) + end + + new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) + + if new_token.persisted? + update_bot_membership(target_user, new_token.expires_at) + + return success_response(new_token) + end + + error_response(new_token.errors.full_messages.to_sentence) + end + + def update_bot_membership(target_user, expires_at) + target_user.members.update(expires_at: expires_at) + end + + def valid_access_level? + return true if current_user.can_admin_all_resources? + return false unless current_user.can?(:manage_resource_access_tokens, project) + + token_access_level = project.team.max_member_access(token.user.id).to_i + current_user_access_level = project.team.max_member_access(current_user.id).to_i + + return true if token_access_level.to_i <= current_user_access_level + + false + end + end +end |