diff options
author | Douwe Maan <douwe@gitlab.com> | 2018-01-18 16:07:06 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2018-02-09 12:04:05 -0600 |
commit | 5e9e56924a56dcb84c3ae4ae6fc308f635f39f66 (patch) | |
tree | b7160c4277521c309d1f3cc97580c62474cfa759 /app/models/snippet.rb | |
parent | 721fab661de4a01c2d73e88bdd000dfe2e094ced (diff) | |
download | gitlab-ce-5e9e56924a56dcb84c3ae4ae6fc308f635f39f66.tar.gz |
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4'
[Port for security-10-4]: Makes SnippetFinder ensure feature visibility
Diffstat (limited to 'app/models/snippet.rb')
-rw-r--r-- | app/models/snippet.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 7c8716f8c18..a58c208279e 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -74,6 +74,27 @@ class Snippet < ActiveRecord::Base @link_reference_pattern ||= super("snippets", /(?<snippet>\d+)/) end + # Returns a collection of snippets that are either public or visible to the + # logged in user. + # + # This method does not verify the user actually has the access to the project + # the snippet is in, so it should be only used on a relation that's already scoped + # for project access + def self.public_or_visible_to_user(user = nil) + if user + authorized = user + .project_authorizations + .select(1) + .where('project_authorizations.project_id = snippets.project_id') + + levels = Gitlab::VisibilityLevel.levels_for_user(user) + + where('EXISTS (?) OR snippets.visibility_level IN (?) or snippets.author_id = (?)', authorized, levels, user.id) + else + public_to_user + end + end + def to_reference(from = nil, full: false) reference = "#{self.class.reference_prefix}#{id}" |