Resolve: Milestones leaked via search API

Fix milestone titles being leaked using search API when users cannot read milestones
author: Felipe Artur <felipefac@gmail.com> 2019-05-20 11:08:31 -0300
committer: Felipe Artur <felipefac@gmail.com> 2019-05-20 11:08:34 -0300
commit: b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch)
tree: f2ce52b008b39683db353f07723d14e104b0b250 /app/models/project.rb
parent: 1602ce28c65125f045e36c4420dafd6a7788d37c (diff)
download: gitlab-ce-b70b43d07ec27c6410e4a8d7ad417662a8823f8f.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/app/models/project.rb b/app/models/project.rb
index ab4da61dcf8..4ca14d1c2ac 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -406,6 +406,7 @@ class Project < ApplicationRecord
   scope :with_builds_enabled, -> { with_feature_enabled(:builds) }
   scope :with_issues_enabled, -> { with_feature_enabled(:issues) }
   scope :with_issues_available_for_user, ->(current_user) { with_feature_available_for_user(:issues, current_user) }
+  scope :with_merge_requests_available_for_user, ->(current_user) { with_feature_available_for_user(:merge_requests, current_user) }
   scope :with_merge_requests_enabled, -> { with_feature_enabled(:merge_requests) }
   scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct }
 
@@ -596,6 +597,17 @@ class Project < ApplicationRecord
     def group_ids
       joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id)
     end
+
+    # Returns ids of projects with milestones available for given user
+    #
+    # Used on queries to find milestones which user can see
+    # For example: Milestone.where(project_id: ids_with_milestone_available_for(user))
+    def ids_with_milestone_available_for(user)
+      with_issues_enabled = with_issues_available_for_user(user).select(:id)
+      with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id)
+
+      from_union([with_issues_enabled, with_merge_requests_enabled]).select(:id)
+    end
   end
 
   def all_pipelines
author	Felipe Artur <felipefac@gmail.com>	2019-05-20 11:08:31 -0300
committer	Felipe Artur <felipefac@gmail.com>	2019-05-20 11:08:34 -0300
commit	b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch)
tree	f2ce52b008b39683db353f07723d14e104b0b250 /app/models/project.rb
parent	1602ce28c65125f045e36c4420dafd6a7788d37c (diff)
download	gitlab-ce-b70b43d07ec27c6410e4a8d7ad417662a8823f8f.tar.gz