diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-10-26 17:34:06 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-11-09 12:24:13 +0100 |
| commit | 79d94b167999544086db235602a9213a2d37831e (patch) | |
| tree | 624e3a4f8834f6d962d555686405c12e15d7ebeb /app/models/project_feature.rb | |
| parent | b77969ea39cc6425dcdab35d4239346ce9940279 (diff) | |
| download | gitlab-ce-79d94b167999544086db235602a9213a2d37831e.tar.gz | |
Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders
This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481
See merge request !2000
Diffstat (limited to 'app/models/project_feature.rb')
| -rw-r--r-- | app/models/project_feature.rb | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index b37ce1d3cf6..34fd5a57b5e 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -20,6 +20,15 @@ class ProjectFeature < ActiveRecord::Base FEATURES = %i(issues merge_requests wiki snippets builds repository) + class << self + def access_level_attribute(feature) + feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name) + raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature) + + "#{feature}_access_level".to_sym + end + end + # Default scopes force us to unscope here since a service may need to check # permissions for a project in pending_delete # http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to @@ -35,9 +44,8 @@ class ProjectFeature < ActiveRecord::Base default_value_for :repository_access_level, value: ENABLED, allows_nil: false def feature_available?(feature, user) - raise ArgumentError, 'invalid project feature' unless FEATURES.include?(feature) - - get_permission(user, public_send("#{feature}_access_level")) + access_level = public_send(ProjectFeature.access_level_attribute(feature)) + get_permission(user, access_level) end def builds_enabled? |