diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-09-24 18:01:00 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-09-24 18:01:36 +0300 |
| commit | f8578ff3a13ab423e1970ba85a7149810e323aa9 (patch) | |
| tree | 053c0db8fd44b260098faa395d012f2b56f59784 /app | |
| parent | d3b84fa914ca6f9ad38b05f34f11a7194f3e20df (diff) | |
Merge branch 'fix-events-finder-incomplete-11-3' into 'security-11-3'
[11.3] Redact events shown in the events API
See merge request gitlab/gitlabhq!2518
Diffstat (limited to 'app')
| -rw-r--r-- | app/finders/events_finder.rb | 1 | ||||
| -rw-r--r-- | app/finders/user_recent_events_finder.rb | 1 | ||||
| -rw-r--r-- | app/models/event.rb | 14 |
3 files changed, 15 insertions, 1 deletions
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb index 8676925a540..eb8af63eeb9 100644 --- a/app/finders/events_finder.rb +++ b/app/finders/events_finder.rb @@ -10,6 +10,7 @@ class EventsFinder # Arguments: # source - which user or project to looks for events on # current_user - only return events for projects visible to this user + # WARNING: does not consider project feature visibility! # params: # action: string # target_type: string diff --git a/app/finders/user_recent_events_finder.rb b/app/finders/user_recent_events_finder.rb index b874f6959c9..40a33d0afaa 100644 --- a/app/finders/user_recent_events_finder.rb +++ b/app/finders/user_recent_events_finder.rb @@ -1,6 +1,7 @@ # Get user activity feed for projects common for a user and a logged in user # # - current_user: The user viewing the events +# WARNING: does not consider project feature visibility! # - user: The user for which to load the events # - params: # - offset: The page of events to return diff --git a/app/models/event.rb b/app/models/event.rb index 041dac6941b..ba687cf85df 100644 --- a/app/models/event.rb +++ b/app/models/event.rb @@ -147,6 +147,8 @@ class Event < ActiveRecord::Base end end + # rubocop:disable Metrics/CyclomaticComplexity + # rubocop:disable Metrics/PerceivedComplexity def visible_to_user?(user = nil) if push? || commit_note? Ability.allowed?(user, :download_code, project) @@ -158,12 +160,18 @@ class Event < ActiveRecord::Base Ability.allowed?(user, :read_issue, note? ? note_target : target) elsif merge_request? || merge_request_note? Ability.allowed?(user, :read_merge_request, note? ? note_target : target) + elsif personal_snippet_note? + Ability.allowed?(user, :read_personal_snippet, note_target) + elsif project_snippet_note? + Ability.allowed?(user, :read_project_snippet, note_target) elsif milestone? - Ability.allowed?(user, :read_project, project) + Ability.allowed?(user, :read_milestone, project) else false # No other event types are visible end end + # rubocop:enable Metrics/PerceivedComplexity + # rubocop:enable Metrics/CyclomaticComplexity def project_name if project @@ -305,6 +313,10 @@ class Event < ActiveRecord::Base note? && target && target.for_snippet? end + def personal_snippet_note? + note? && target && target.for_personal_snippet? + end + def note_target target.noteable end |