1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
|
# frozen_string_literal: true
# Finder for retrieving snippets that a user can see, optionally scoped to a
# project or snippets author.
#
# Basic usage:
#
# user = User.find(1)
#
# SnippetsFinder.new(user).execute
#
# To limit the snippets to a specific project, supply the `project:` option:
#
# user = User.find(1)
# project = Project.find(1)
#
# SnippetsFinder.new(user, project: project).execute
#
# Limiting snippets to an author can be done by supplying the `author:` option:
#
# user = User.find(1)
# project = Project.find(1)
#
# SnippetsFinder.new(user, author: user).execute
#
# To filter snippets using a specific visibility level, you can provide the
# `scope:` option:
#
# user = User.find(1)
# project = Project.find(1)
#
# SnippetsFinder.new(user, author: user, scope: :are_public).execute
#
# Valid `scope:` values are:
#
# * `:are_private`
# * `:are_internal`
# * `:are_public`
#
# Any other value will be ignored.
class SnippetsFinder < UnionFinder
include FinderMethods
include Gitlab::Utils::StrongMemoize
include CreatedAtFilter
attr_reader :current_user, :params
def initialize(current_user = nil, params = {})
@current_user = current_user
@params = params
if project && author
raise(
ArgumentError,
'Filtering by both an author and a project is not supported, ' \
'as this finder is not optimised for this use case'
)
end
end
def execute
# The snippet query can be expensive, therefore if the
# author or project params have been passed and they don't
# exist, or if a Project has been passed and has snippets
# disabled, it's better to return
return Snippet.none if author.nil? && params[:author].present?
return Snippet.none if project.nil? && params[:project].present?
return Snippet.none if project && !project.feature_available?(:snippets, current_user)
filter_snippets.order_by(sort_param)
end
private
def filter_snippets
if return_all_available_and_permited?
snippets = all_snippets_for_admin
else
snippets = all_snippets
snippets = by_ids(snippets)
snippets = snippets.with_optional_visibility(visibility_from_scope)
end
by_created_at(snippets)
end
def return_all_available_and_permited?
# Currently limited to access_levels `admin` and `auditor`
# See policies/base_policy.rb files for specifics.
params[:all_available] && current_user&.can_read_all_resources?
end
def all_snippets
if explore?
snippets_for_explore
elsif only_personal?
personal_snippets
elsif project
snippets_for_a_single_project
else
snippets_for_personal_and_multiple_projects
end
end
# Produces a query that retrieves snippets for the Explore page
#
# We only show personal snippets here because this page is meant for
# discovery, and project snippets are of limited interest here.
def snippets_for_explore
Snippet.public_to_user(current_user).only_personal_snippets
end
# Produces a query that retrieves snippets from multiple projects.
#
# The resulting query will, depending on the user's permissions, include the
# following collections of snippets:
#
# 1. Snippets that don't belong to any project.
# 2. Snippets of projects that are visible to the current user (e.g. snippets
# in public projects).
# 3. Snippets of projects that the current user is a member of.
#
# Each collection is constructed in isolation, allowing for greater control
# over the resulting SQL query.
def snippets_for_personal_and_multiple_projects
queries = []
queries << personal_snippets unless only_project?
if Ability.allowed?(current_user, :read_cross_project)
queries << snippets_of_visible_projects
queries << snippets_of_authorized_projects if current_user
end
prepared_union(queries)
end
def all_snippets_for_admin
return Snippet.only_project_snippets if only_project?
Snippet.all
end
def snippets_for_a_single_project
Snippet.for_project_with_user(project, current_user)
end
def personal_snippets
snippets_for_author_or_visible_to_user.only_personal_snippets
end
# Returns the snippets that the current user (logged in or not) can view.
def snippets_of_visible_projects
snippets_for_author_or_visible_to_user
.only_include_projects_visible_to(current_user)
.only_include_projects_with_snippets_enabled
end
# Returns the snippets that the currently logged in user has access to by
# being a member of the project the snippets belong to.
#
# This method requires that `current_user` returns a `User` instead of `nil`,
# and is optimised for this specific scenario.
def snippets_of_authorized_projects
base = author ? author.snippets : Snippet.all
base
.only_include_projects_with_snippets_enabled(include_private: true)
.only_include_authorized_projects(current_user)
end
def snippets_for_author_or_visible_to_user
if author
snippets_for_author
elsif current_user
Snippet.visible_to_or_authored_by(current_user)
else
Snippet.public_to_user
end
end
def snippets_for_author
base = author.snippets
if author == current_user
# If the current user is also the author of all snippets, then we can
# include private snippets.
base
else
base.public_to_user(current_user)
end
end
def visibility_from_scope
case params[:scope].to_s
when 'are_private'
Snippet::PRIVATE
when 'are_internal'
Snippet::INTERNAL
when 'are_public'
Snippet::PUBLIC
end
end
def by_ids(snippets)
return snippets unless params[:ids].present?
snippets.id_in(params[:ids])
end
def author
strong_memoize(:author) do
next unless params[:author].present?
params[:author].is_a?(User) ? params[:author] : User.find_by_id(params[:author])
end
end
def project
strong_memoize(:project) do
next unless params[:project].present?
params[:project].is_a?(Project) ? params[:project] : Project.find_by_id(params[:project])
end
end
def sort_param
params[:sort].presence || 'id_desc'
end
def explore?
params[:explore].present?
end
def only_personal?
params[:only_personal].present?
end
def only_project?
params[:only_project].present?
end
def prepared_union(queries)
return Snippet.none if queries.empty?
return queries.first if queries.length == 1
# The queries are going to be part of a global `where`
# therefore we only need to retrieve the `id` column
# which will speed the query
queries.map! { |rel| rel.select(:id) }
Snippet.id_in(find_union(queries, Snippet))
end
end
SnippetsFinder.prepend_mod_with('SnippetsFinder')
|
