diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:06 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:06 +0300 |
commit | bbe8516749088fd3be303b40eb40f0757ecc99d6 (patch) | |
tree | 54156254139b4068da33eda6fe3fb294b0323f96 /app | |
parent | ddfb716076bd94f02293505881f7a9333d3a5da4 (diff) | |
parent | f8a130b16a59f5ba2b4513faa896fbace7a2ae45 (diff) |
Merge branch 'security-33689-post-filter-search-results-ce-12-4' into '12-4-stable'
Filter out search results based on permissions to avoid bugs leaking data
See merge request gitlab/gitlabhq!3496
Diffstat (limited to 'app')
-rw-r--r-- | app/models/discussion.rb | 1 | ||||
-rw-r--r-- | app/models/milestone.rb | 4 | ||||
-rw-r--r-- | app/models/note.rb | 4 | ||||
-rw-r--r-- | app/models/project.rb | 4 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 2 | ||||
-rw-r--r-- | app/services/notification_service.rb | 2 |
6 files changed, 15 insertions, 2 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb index 0d066d0d99f..b8525f7b135 100644 --- a/app/models/discussion.rb +++ b/app/models/discussion.rb @@ -16,6 +16,7 @@ class Discussion :commit_id, :for_commit?, :for_merge_request?, + :noteable_ability_name, :to_ability_name, :editable?, :visible_for?, diff --git a/app/models/milestone.rb b/app/models/milestone.rb index 2fa0cfc9b93..a9f4cdec901 100644 --- a/app/models/milestone.rb +++ b/app/models/milestone.rb @@ -261,6 +261,10 @@ class Milestone < ApplicationRecord group || project end + def to_ability_name + model_name.singular + end + def group_milestone? group_id.present? end diff --git a/app/models/note.rb b/app/models/note.rb index 43f349c6fa2..ce60413b8a0 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -361,6 +361,10 @@ class Note < ApplicationRecord end def to_ability_name + model_name.singular + end + + def noteable_ability_name for_snippet? ? noteable.class.name.underscore : noteable_type.demodulize.underscore end diff --git a/app/models/project.rb b/app/models/project.rb index 3525f37f8d5..4d9234e482f 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -1260,6 +1260,10 @@ class Project < ApplicationRecord end end + def to_ability_name + model_name.singular + end + # rubocop: disable CodeReuse/ServiceClass def execute_hooks(data, hooks_scope = :push_hooks) run_after_commit_or_now do diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index b2af6c874c7..dcde8cefa0d 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -9,7 +9,7 @@ class NotePolicy < BasePolicy condition(:editable, scope: :subject) { @subject.editable? } - condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") } condition(:is_visible) { @subject.visible_for?(@user) } diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb index b56b2cf14e3..1709474a6c7 100644 --- a/app/services/notification_service.rb +++ b/app/services/notification_service.rb @@ -281,7 +281,7 @@ class NotificationService end def send_new_note_notifications(note) - notify_method = "note_#{note.to_ability_name}_email".to_sym + notify_method = "note_#{note.noteable_ability_name}_email".to_sym recipients = NotificationRecipientService.build_new_note_recipients(note) recipients.each do |recipient| |