diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:17 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:17 +0300 |
commit | c9bcf8fc693c82000181b314f7d0240747e62d02 (patch) | |
tree | 31994fb5855e2b8a25ac8ef809ed9d7b5689ab95 /app | |
parent | 853618e05f6fea4a3a48822601c60a89830269f4 (diff) | |
parent | b58dd075d32e852e6c7ab306c84945cb5d73c06a (diff) |
Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable'
Labels visible despite no access to issues & repositories
See merge request gitlab/gitlabhq!3489
Diffstat (limited to 'app')
-rw-r--r-- | app/finders/labels_finder.rb | 8 | ||||
-rw-r--r-- | app/models/project.rb | 8 |
2 files changed, 11 insertions, 5 deletions
diff --git a/app/finders/labels_finder.rb b/app/finders/labels_finder.rb index e523942ea4c..027cdc4fc78 100644 --- a/app/finders/labels_finder.rb +++ b/app/finders/labels_finder.rb @@ -51,7 +51,7 @@ class LabelsFinder < UnionFinder end label_ids << Label.where(group_id: projects.group_ids) - label_ids << Label.where(project_id: projects.select(:id)) unless only_group_labels? + label_ids << Label.where(project_id: ids_user_can_read_labels(projects)) unless only_group_labels? end label_ids @@ -188,4 +188,10 @@ class LabelsFinder < UnionFinder groups.select { |group| authorized_to_read_labels?(group) } end end + + # rubocop: disable CodeReuse/ActiveRecord + def ids_user_can_read_labels(projects) + Project.where(id: projects.select(:id)).ids_with_issuables_available_for(current_user) + end + # rubocop: enable CodeReuse/ActiveRecord end diff --git a/app/models/project.rb b/app/models/project.rb index 4d9234e482f..74da042d5a5 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -609,11 +609,11 @@ class Project < ApplicationRecord joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id) end - # Returns ids of projects with milestones available for given user + # Returns ids of projects with issuables available for given user # - # Used on queries to find milestones which user can see - # For example: Milestone.where(project_id: ids_with_milestone_available_for(user)) - def ids_with_milestone_available_for(user) + # Used on queries to find milestones or labels which user can see + # For example: Milestone.where(project_id: ids_with_issuables_available_for(user)) + def ids_with_issuables_available_for(user) with_issues_enabled = with_issues_available_for_user(user).select(:id) with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id) |