summaryrefslogtreecommitdiff
path: root/app/models/project_feature.rb
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-10-26 17:34:06 +0000
committerRémy Coutable <remy@rymai.me>2016-11-09 12:24:13 +0100
commit79d94b167999544086db235602a9213a2d37831e (patch)
tree624e3a4f8834f6d962d555686405c12e15d7ebeb /app/models/project_feature.rb
parentb77969ea39cc6425dcdab35d4239346ce9940279 (diff)
downloadgitlab-ce-79d94b167999544086db235602a9213a2d37831e.tar.gz
Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private". Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481 See merge request !2000
Diffstat (limited to 'app/models/project_feature.rb')
-rw-r--r--app/models/project_feature.rb14
1 files changed, 11 insertions, 3 deletions
diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb
index b37ce1d3cf6..34fd5a57b5e 100644
--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -20,6 +20,15 @@ class ProjectFeature < ActiveRecord::Base
FEATURES = %i(issues merge_requests wiki snippets builds repository)
+ class << self
+ def access_level_attribute(feature)
+ feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name)
+ raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature)
+
+ "#{feature}_access_level".to_sym
+ end
+ end
+
# Default scopes force us to unscope here since a service may need to check
# permissions for a project in pending_delete
# http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to
@@ -35,9 +44,8 @@ class ProjectFeature < ActiveRecord::Base
default_value_for :repository_access_level, value: ENABLED, allows_nil: false
def feature_available?(feature, user)
- raise ArgumentError, 'invalid project feature' unless FEATURES.include?(feature)
-
- get_permission(user, public_send("#{feature}_access_level"))
+ access_level = public_send(ProjectFeature.access_level_attribute(feature))
+ get_permission(user, access_level)
end
def builds_enabled?