diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 07:42:20 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 07:42:20 +0000 |
commit | 295f35e8ff5fdb2d8b46ecb20c7ba7e41931abdf (patch) | |
tree | 65574d654c6fe86f69865dd62dad3a7c87d86842 | |
parent | 57fdf0350819cd7a5b010d9cbb05423551827ce4 (diff) | |
parent | d6d7cae022989aabfd18d7e72a0ed1caf47c06f0 (diff) | |
download | gitlab-ce-295f35e8ff5fdb2d8b46ecb20c7ba7e41931abdf.tar.gz |
Merge branch 'security-epic-notes-api-reveals-historical-info-ce-12-2' into '12-2-stable'
Filter out old system notes for epics in notes api endpoint response
See merge request gitlab/gitlabhq!3314
-rw-r--r-- | app/controllers/concerns/issuable_actions.rb | 2 | ||||
-rw-r--r-- | app/controllers/concerns/notes_actions.rb | 2 | ||||
-rw-r--r-- | app/models/note.rb | 4 | ||||
-rw-r--r-- | changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml | 5 | ||||
-rw-r--r-- | lib/api/discussions.rb | 2 | ||||
-rw-r--r-- | lib/api/helpers/notes_helpers.rb | 6 | ||||
-rw-r--r-- | lib/api/notes.rb | 2 |
7 files changed, 16 insertions, 7 deletions
diff --git a/app/controllers/concerns/issuable_actions.rb b/app/controllers/concerns/issuable_actions.rb index b86e4451a7e..1d6a1be402c 100644 --- a/app/controllers/concerns/issuable_actions.rb +++ b/app/controllers/concerns/issuable_actions.rb @@ -110,7 +110,7 @@ module IssuableActions end notes = prepare_notes_for_rendering(notes) - notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } + notes = notes.select { |n| n.visible_for?(current_user) } discussions = Discussion.build_collection(notes, issuable) diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index d2a961efff7..80be7095ed3 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -29,7 +29,7 @@ module NotesActions end notes = prepare_notes_for_rendering(notes) - notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } + notes = notes.select { |n| n.visible_for?(current_user) } notes_json[:notes] = if use_note_serializer? diff --git a/app/models/note.rb b/app/models/note.rb index 79aad5cbff9..3956ec192b1 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -332,6 +332,10 @@ class Note < ApplicationRecord cross_reference? && !all_referenced_mentionables_allowed?(user) end + def visible_for?(user) + !cross_reference_not_visible_for?(user) + end + def award_emoji? can_be_award_emoji? && contains_emoji_only? end diff --git a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml new file mode 100644 index 00000000000..c639098721e --- /dev/null +++ b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml @@ -0,0 +1,5 @@ +--- +title: Filter out old system notes for epics in notes api endpoint response +merge_request: +author: +type: security diff --git a/lib/api/discussions.rb b/lib/api/discussions.rb index 6c1acc3963f..9125207167c 100644 --- a/lib/api/discussions.rb +++ b/lib/api/discussions.rb @@ -239,7 +239,7 @@ module API # because notes are redacted if they point to projects that # cannot be accessed by the user. notes = prepare_notes_for_rendering(notes) - notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } + notes.select { |n| n.visible_for?(current_user) } end # rubocop: enable CodeReuse/ActiveRecord end diff --git a/lib/api/helpers/notes_helpers.rb b/lib/api/helpers/notes_helpers.rb index 6bf9057fad7..a6def5a176a 100644 --- a/lib/api/helpers/notes_helpers.rb +++ b/lib/api/helpers/notes_helpers.rb @@ -10,7 +10,7 @@ module API end def update_note(noteable, note_id) - note = noteable.notes.find(params[:note_id]) + note = noteable.notes.find(note_id) authorize! :admin_note, note @@ -59,8 +59,8 @@ module API end def get_note(noteable, note_id) - note = noteable.notes.with_metadata.find(params[:note_id]) - can_read_note = !note.cross_reference_not_visible_for?(current_user) + note = noteable.notes.with_metadata.find(note_id) + can_read_note = note.visible_for?(current_user) if can_read_note present note, with: Entities::Note diff --git a/lib/api/notes.rb b/lib/api/notes.rb index 9381f045144..eaf97bb119e 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -41,7 +41,7 @@ module API # mismatch between the pagination headers info and the actual notes # array returned, but this is really a edge-case. paginate(raw_notes) - .reject { |n| n.cross_reference_not_visible_for?(current_user) } + .select { |note| note.visible_for?(current_user) } present notes, with: Entities::Note end # rubocop: enable CodeReuse/ActiveRecord |