diff options
author | Valery Sizov <valery@gitlab.com> | 2016-05-26 14:12:43 +0300 |
---|---|---|
committer | Valery Sizov <valery@gitlab.com> | 2016-05-31 21:32:53 +0300 |
commit | 9154586ce5c46dfac83a1ed1e4beac1940913f16 (patch) | |
tree | f7915c3bf9e7a55ba345bcafe0beb8df06234dc7 /app/models/note.rb | |
parent | 32b9276c25c95e2bb9fb7805b4457fdd948ea08e (diff) | |
download | gitlab-ce-9154586ce5c46dfac83a1ed1e4beac1940913f16.tar.gz |
Confidential notes data leak
Diffstat (limited to 'app/models/note.rb')
-rw-r--r-- | app/models/note.rb | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index 55b98557244..29f38539116 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -77,14 +77,30 @@ class Note < ActiveRecord::Base # # This method uses ILIKE on PostgreSQL and LIKE on MySQL. # - # query - The search query as a String. + # query - The search query as a String. + # as_user - Limit results to those viewable by a specific user # # Returns an ActiveRecord::Relation. - def search(query) + def search(query, as_user: nil) table = arel_table pattern = "%#{query}%" - where(table[:note].matches(pattern)) + found_notes = joins('LEFT JOIN issues ON issues.id = noteable_id'). + where(table[:note].matches(pattern)) + + if as_user + found_notes.where(' + issues.confidential IS NULL + OR issues.confidential IS FALSE + OR (issues.confidential IS TRUE + AND (issues.author_id = :user_id + OR issues.assignee_id = :user_id + OR issues.project_id IN(:project_ids)))', + user_id: as_user.id, + project_ids: as_user.authorized_projects.select(:id)) + else + found_notes.where('issues.confidential IS NULL OR issues.confidential IS FALSE') + end end def grouped_awards |