diff options
author | Valery Sizov <valery@gitlab.com> | 2016-05-26 14:12:43 +0300 |
---|---|---|
committer | Valery Sizov <valery@gitlab.com> | 2016-05-27 19:58:31 +0300 |
commit | e90df69859a31b9a24a401a8cc6b3c7aea2fb65c (patch) | |
tree | 7ddda681c2869a52038e3b72a05de6715c700581 | |
parent | f2caad2467f318ec1359ee9b03509e831cde9d16 (diff) | |
download | gitlab-ce-data_leak.tar.gz |
Confidential notes data leakdata_leak
-rw-r--r-- | CHANGELOG | 3 | ||||
-rw-r--r-- | app/models/note.rb | 19 | ||||
-rw-r--r-- | lib/gitlab/project_search_results.rb | 2 | ||||
-rw-r--r-- | spec/models/note_spec.rb | 19 |
4 files changed, 40 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG index 24c691b4718..3b7950fd777 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,9 @@ v 8.9.0 (unreleased) - Fix issues filter when ordering by milestone - Todos will display target state if issuable target is 'Closed' or 'Merged' +v 8.8.3 + - In search results, only show notes on confidential issues that the user has access to + v 8.8.2 - Added remove due date button. !4209 - Fix Error 500 when accessing application settings due to nil disabled OAuth sign-in sources. !4242 diff --git a/app/models/note.rb b/app/models/note.rb index 55b98557244..f22f3f84e09 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -80,11 +80,26 @@ class Note < ActiveRecord::Base # query - The search query as a String. # # Returns an ActiveRecord::Relation. - def search(query) + def search(query, user = nil) table = arel_table pattern = "%#{query}%" - where(table[:note].matches(pattern)) + found_notes = joins('LEFT JOIN issues ON issues.id = noteable_id'). + where(table[:note].matches(pattern)) + + if user + found_notes.where(' + issues.confidential IS NOT TRUE + OR (issues.confidential IS TRUE + AND (issues.author_id = :user_id + OR issues.assignee_id = :user_id + OR issues.project_id IN(:project_ids)))', + user_id: user.id, + project_ids: user.authorized_projects.select(:id) + ) + else + found_notes.where('issues.confidential IS NOT TRUE') + end end def grouped_awards diff --git a/lib/gitlab/project_search_results.rb b/lib/gitlab/project_search_results.rb index 71c5b6801fb..f9646a1c9ce 100644 --- a/lib/gitlab/project_search_results.rb +++ b/lib/gitlab/project_search_results.rb @@ -74,7 +74,7 @@ module Gitlab end def notes - project.notes.user.search(query).order('updated_at DESC') + project.notes.user.search(query, @current_user).order('updated_at DESC') end def commits diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 5d916f0e6a6..427c7a3ed6f 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -111,6 +111,25 @@ describe Note, models: true do it 'returns notes with matching content regardless of the casing' do expect(described_class.search('WOW')).to eq([note]) end + + context "confidential issues" do + let(:user) { create :user } + let(:confidential_issue) { create :issue, confidential: true, author: user } + let(:confidential_note) { create :note, note: "Random", noteable: confidential_issue } + + it "returns notes with matching content if user can see the issue" do + expect(described_class.search(confidential_note.note, user)).to eq([confidential_note]) + end + + it "does not return notes with matching content if user can not see the issue" do + user = create :user + expect(described_class.search(confidential_note.note, user)).to be_empty + end + + it "does not return notes with matching content for unauthenticated users" do + expect(described_class.search(confidential_note.note)).to be_empty + end + end end describe '.grouped_awards' do |