diff options
Diffstat (limited to 'lib/banzai/filter/cross_project_issuable_information_filter.rb')
-rw-r--r-- | lib/banzai/filter/cross_project_issuable_information_filter.rb | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/lib/banzai/filter/cross_project_issuable_information_filter.rb b/lib/banzai/filter/cross_project_issuable_information_filter.rb new file mode 100644 index 00000000000..c2c08b4fd6a --- /dev/null +++ b/lib/banzai/filter/cross_project_issuable_information_filter.rb @@ -0,0 +1,40 @@ +module Banzai + module Filter + # HTML filter that removes sensitive information from cross project + # issue references. + # + # The link to the issue or merge request is preserved only the IID is shown, + # but all other info is removed. + class CrossProjectIssuableInformationFilter < HTML::Pipeline::Filter + def call + return doc if can_read_cross_project? + + extractor = Banzai::IssuableExtractor.new(project, current_user) + issuables = extractor.extract([doc]) + + issuables.each do |node, issuable| + next if issuable.project == project + + node['class'] = node['class'].gsub('has-tooltip', '') + node['title'] = nil + end + + doc + end + + private + + def project + context[:project] + end + + def can_read_cross_project? + Ability.allowed?(current_user, :read_cross_project) + end + + def current_user + context[:current_user] + end + end + end +end |