diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 10:32:21 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 10:32:21 +0000 |
commit | 6bdede45b65c080230ec8b042fd278beba1c111c (patch) | |
tree | f876ad2a42704276aa29c75c85bf7fcb4b764327 | |
parent | 53c7dcdc093ca0f5970fc3924bef81cb78f0f3b0 (diff) | |
download | gitlab-ce-6bdede45b65c080230ec8b042fd278beba1c111c.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-2-stable-ee
-rw-r--r-- | app/models/project.rb | 15 | ||||
-rw-r--r-- | lib/api/entities/project.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/background_migration/user_mentions/models/group.rb | 4 | ||||
-rw-r--r-- | spec/lib/api/entities/project_spec.rb | 39 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 2 |
5 files changed, 62 insertions, 2 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index 81b04e1316c..1360ed83531 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -2669,8 +2669,23 @@ class Project < ApplicationRecord ci_cd_settings.group_runners_enabled? end + def visible_group_links(for_user:) + user = for_user + links = project_group_links_with_preload + user.max_member_access_for_group_ids(links.map(&:group_id)) if user && links.any? + + DeclarativePolicy.user_scope do + links.select { Ability.allowed?(user, :read_group, _1.group) } + end + end + private + # overridden in EE + def project_group_links_with_preload + project_group_links + end + def find_integration(integrations, name) integrations.find { _1.to_param == name } end diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb index 890b42ed8c8..e8e6935a289 100644 --- a/lib/api/entities/project.rb +++ b/lib/api/entities/project.rb @@ -100,7 +100,9 @@ module API expose :build_coverage_regex expose :ci_config_path, if: -> (project, options) { Ability.allowed?(options[:current_user], :download_code, project) } expose :shared_with_groups do |project, options| - SharedGroupWithProject.represent(project.project_group_links, options) + user = options[:current_user] + + SharedGroupWithProject.represent(project.visible_group_links(for_user: user), options) end expose :only_allow_merge_if_pipeline_succeeds expose :allow_merge_on_skipped_pipeline diff --git a/lib/gitlab/background_migration/user_mentions/models/group.rb b/lib/gitlab/background_migration/user_mentions/models/group.rb index a8b4b59b06c..310723570c2 100644 --- a/lib/gitlab/background_migration/user_mentions/models/group.rb +++ b/lib/gitlab/background_migration/user_mentions/models/group.rb @@ -11,6 +11,10 @@ module Gitlab has_one :saml_provider + def root_saml_provider + root_ancestor.saml_provider + end + def self.declarative_policy_class "GroupPolicy" end diff --git a/spec/lib/api/entities/project_spec.rb b/spec/lib/api/entities/project_spec.rb new file mode 100644 index 00000000000..8d1c3aa878d --- /dev/null +++ b/spec/lib/api/entities/project_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ::API::Entities::Project do + let(:project) { create(:project, :public) } + let(:current_user) { create(:user) } + let(:options) { { current_user: current_user } } + + let(:entity) do + ::API::Entities::Project.new(project, options) + end + + subject(:json) { entity.as_json } + + describe '.shared_with_groups' do + let(:group) { create(:group, :private) } + + before do + project.project_group_links.create!(group: group) + end + + context 'when the current user does not have access to the group' do + it 'is empty' do + expect(json[:shared_with_groups]).to be_empty + end + end + + context 'when the current user has access to the group' do + before do + group.add_guest(current_user) + end + + it 'contains information about the shared group' do + expect(json[:shared_with_groups]).to contain_exactly(include(group_id: group.id)) + end + end + end +end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 6e0549d519f..62808da6182 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -990,7 +990,7 @@ RSpec.describe API::Projects do expect do get api('/projects', admin) - end.not_to exceed_query_limit(control.count) + end.not_to exceed_query_limit(control) end end end |