Hide confidential events in ruby

We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything.
author: Bob Van Landuyt <bob@vanlanduyt.co> 2018-12-07 18:09:00 +0100
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-12-17 18:47:53 +0100
commit: 28acd2b087d5b80cd89354d58f937aed0f4928cb (patch)
tree: 0eda3c8ee7be722d51a390c750f1fd39dd88276b /app/finders
parent: 75262862c434a98b9183a4a63f3ad86dec52b079 (diff)
download: gitlab-ce-28acd2b087d5b80cd89354d58f937aed0f4928cb.tar.gz
2 files changed, 62 insertions, 13 deletions
diff --git a/app/finders/concerns/finder_with_cross_project_access.rb b/app/finders/concerns/finder_with_cross_project_access.rb
index 220f62bcc7f..06ebb286086 100644
--- a/app/finders/concerns/finder_with_cross_project_access.rb
+++ b/app/finders/concerns/finder_with_cross_project_access.rb
@@ -5,7 +5,8 @@
 #
 # This module depends on the finder implementing the following methods:
 #
-# - `#execute` should return an `ActiveRecord::Relation`
+# - `#execute` should return an `ActiveRecord::Relation` or the `model` needs to
+#              be defined in the call to `requires_cross_project_access`.
 # - `#current_user` the user that requires access (or nil)
 module FinderWithCrossProjectAccess
   extend ActiveSupport::Concern
@@ -13,20 +14,35 @@ module FinderWithCrossProjectAccess
 
   prepended do
     extend Gitlab::CrossProjectAccess::ClassMethods
+
+    cattr_accessor :finder_model
+
+    def self.requires_cross_project_access(*args)
+      super
+
+      self.finder_model = extract_model_from_arguments(args)
+    end
+
+    private
+
+    def self.extract_model_from_arguments(args)
+      args.detect { |argument| argument.is_a?(Hash) && argument[:model] }
+        &.fetch(:model)
+    end
   end
 
   override :execute
   def execute(*args)
     check = Gitlab::CrossProjectAccess.find_check(self)
-    original = super
+    original = -> { super }
 
-    return original unless check
-    return original if should_skip_cross_project_check || can_read_cross_project?
+    return original.call unless check
+    return original.call if should_skip_cross_project_check || can_read_cross_project?
 
     if check.should_run?(self)
-      original.model.none
+      finder_model&.none || original.call.model.none
     else
-      original
+      original.call
     end
   end
 
@@ -48,8 +64,6 @@ module FinderWithCrossProjectAccess
     skip_cross_project_check { super }
   end
 
-  private
-
   attr_accessor :should_skip_cross_project_check
 
   def skip_cross_project_check
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb
index 8df01f1dad9..234b7090fd9 100644
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -3,22 +3,27 @@
 class EventsFinder
   prepend FinderMethods
   prepend FinderWithCrossProjectAccess
+
+  MAX_PER_PAGE = 100
+
   attr_reader :source, :params, :current_user
 
-  requires_cross_project_access unless: -> { source.is_a?(Project) }
+  requires_cross_project_access unless: -> { source.is_a?(Project) }, model: Event
 
   # Used to filter Events
   #
   # Arguments:
   #   source - which user or project to looks for events on
   #   current_user - only return events for projects visible to this user
-  #                  WARNING: does not consider project feature visibility!
   #   params:
   #     action: string
   #     target_type: string
   #     before: datetime
   #     after: datetime
-  #
+  #     per_page: integer (max. 100)
+  #     page: integer
+  #     with_associations: boolean
+  #     sort: 'asc' or 'desc'
   def initialize(params = {})
     @source = params.delete(:source)
     @current_user = params.delete(:current_user)
@@ -33,15 +38,18 @@ class EventsFinder
     events = by_target_type(events)
     events = by_created_at_before(events)
     events = by_created_at_after(events)
+    events = sort(events)
+
+    events = events.with_associations if params[:with_associations]
 
-    events
+    paginated_filtered_by_user_visibility(events)
   end
 
   private
 
   # rubocop: disable CodeReuse/ActiveRecord
   def by_current_user_access(events)
-    events.merge(ProjectsFinder.new(current_user: current_user).execute) # rubocop: disable CodeReuse/Finder
+    events.merge(Project.public_or_visible_to_user(current_user))
       .joins(:project)
   end
   # rubocop: enable CodeReuse/ActiveRecord
@@ -77,4 +85,31 @@ class EventsFinder
     events.where('events.created_at > ?', params[:after].end_of_day)
   end
   # rubocop: enable CodeReuse/ActiveRecord
+
+  def sort(events)
+    return events unless params[:sort]
+
+    if params[:sort] == 'asc'
+      events.order_id_asc
+    else
+      events.order_id_desc
+    end
+  end
+
+  def paginated_filtered_by_user_visibility(events)
+    limited_events = events.page(page).per(per_page)
+    visible_events = limited_events.select { |event| event.visible_to_user?(current_user) }
+
+    Kaminari.paginate_array(visible_events, total_count: events.count)
+  end
+
+  def per_page
+    return MAX_PER_PAGE unless params[:per_page]
+
+    [params[:per_page], MAX_PER_PAGE].min
+  end
+
+  def page
+    params[:page] || 1
+  end
 end
author	Bob Van Landuyt <bob@vanlanduyt.co>	2018-12-07 18:09:00 +0100
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-12-17 18:47:53 +0100
commit	28acd2b087d5b80cd89354d58f937aed0f4928cb (patch)
tree	0eda3c8ee7be722d51a390c750f1fd39dd88276b /app/finders
parent	75262862c434a98b9183a4a63f3ad86dec52b079 (diff)
download	gitlab-ce-28acd2b087d5b80cd89354d58f937aed0f4928cb.tar.gz