From 2f8d8dca22eca9937cee14765ceadc2aee266616 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 30 Sep 2020 23:32:30 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee --- app/services/members/base_service.rb | 5 +++ app/services/todos/destroy/entity_leave_service.rb | 45 ++++++++++++++++++---- 2 files changed, 42 insertions(+), 8 deletions(-) (limited to 'app/services') diff --git a/app/services/members/base_service.rb b/app/services/members/base_service.rb index 5d69418fb7d..3f55f661d9b 100644 --- a/app/services/members/base_service.rb +++ b/app/services/members/base_service.rb @@ -7,6 +7,11 @@ module Members def initialize(current_user = nil, params = {}) @current_user = current_user @params = params + + # could be a string, force to an integer, part of fix + # https://gitlab.com/gitlab-org/gitlab/-/issues/219496 + # Allow the ArgumentError to be raised if it can't be converted to an integer. + @params[:access_level] = Integer(@params[:access_level]) if @params[:access_level] end def after_execute(args) diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb index 4743e9b02ce..0c0548a17a1 100644 --- a/app/services/todos/destroy/entity_leave_service.rb +++ b/app/services/todos/destroy/entity_leave_service.rb @@ -52,7 +52,14 @@ module Todos # rubocop: disable CodeReuse/ActiveRecord def remove_project_todos - Todo.where(project_id: non_authorized_projects, user_id: user.id).delete_all + # Issues are viewable by guests (even in private projects), so remove those todos + # from projects without guest access + Todo.where(project_id: non_authorized_guest_projects, user_id: user.id) + .delete_all + + # MRs require reporter access, so remove those todos that are not authorized + Todo.where(project_id: non_authorized_reporter_projects, target_type: MergeRequest.name, user_id: user.id) + .delete_all end # rubocop: enable CodeReuse/ActiveRecord @@ -68,7 +75,7 @@ module Todos when Project { id: entity.id } when Namespace - { namespace_id: non_member_groups } + { namespace_id: non_authorized_reporter_groups } end Project.where(condition) @@ -76,8 +83,32 @@ module Todos # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord - def non_authorized_projects - projects.where('id NOT IN (?)', user.authorized_projects.select(:id)) + def authorized_reporter_projects + user.authorized_projects(Gitlab::Access::REPORTER).select(:id) + end + # rubocop: enable CodeReuse/ActiveRecord + + # rubocop: disable CodeReuse/ActiveRecord + def authorized_guest_projects + user.authorized_projects(Gitlab::Access::GUEST).select(:id) + end + # rubocop: enable CodeReuse/ActiveRecord + + # rubocop: disable CodeReuse/ActiveRecord + def non_authorized_reporter_projects + projects.where('id NOT IN (?)', authorized_reporter_projects) + end + # rubocop: enable CodeReuse/ActiveRecord + + # rubocop: disable CodeReuse/ActiveRecord + def non_authorized_guest_projects + projects.where('id NOT IN (?)', authorized_guest_projects) + end + # rubocop: enable CodeReuse/ActiveRecord + + # rubocop: disable CodeReuse/ActiveRecord + def authorized_reporter_groups + GroupsFinder.new(user, min_access_level: Gitlab::Access::REPORTER).execute.select(:id) end # rubocop: enable CodeReuse/ActiveRecord @@ -91,9 +122,9 @@ module Todos # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord - def non_member_groups + def non_authorized_reporter_groups entity.self_and_descendants.select(:id) - .where('id NOT IN (?)', user.membership_groups.select(:id)) + .where('id NOT IN (?)', authorized_reporter_groups) end # rubocop: enable CodeReuse/ActiveRecord @@ -106,8 +137,6 @@ module Todos # rubocop: disable CodeReuse/ActiveRecord def confidential_issues assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user.id) - authorized_reporter_projects = user - .authorized_projects(Gitlab::Access::REPORTER).select(:id) Issue.where(project_id: projects, confidential: true) .where('project_id NOT IN(?)', authorized_reporter_projects) -- cgit v1.2.3