diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-05-20 11:08:31 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-05-20 11:08:34 -0300 |
commit | b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch) | |
tree | f2ce52b008b39683db353f07723d14e104b0b250 /app/models | |
parent | 1602ce28c65125f045e36c4420dafd6a7788d37c (diff) | |
download | gitlab-ce-b70b43d07ec27c6410e4a8d7ad417662a8823f8f.tar.gz |
Resolve: Milestones leaked via search API
Fix milestone titles being leaked using search API
when users cannot read milestones
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/project.rb | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index ab4da61dcf8..4ca14d1c2ac 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -406,6 +406,7 @@ class Project < ApplicationRecord scope :with_builds_enabled, -> { with_feature_enabled(:builds) } scope :with_issues_enabled, -> { with_feature_enabled(:issues) } scope :with_issues_available_for_user, ->(current_user) { with_feature_available_for_user(:issues, current_user) } + scope :with_merge_requests_available_for_user, ->(current_user) { with_feature_available_for_user(:merge_requests, current_user) } scope :with_merge_requests_enabled, -> { with_feature_enabled(:merge_requests) } scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct } @@ -596,6 +597,17 @@ class Project < ApplicationRecord def group_ids joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id) end + + # Returns ids of projects with milestones available for given user + # + # Used on queries to find milestones which user can see + # For example: Milestone.where(project_id: ids_with_milestone_available_for(user)) + def ids_with_milestone_available_for(user) + with_issues_enabled = with_issues_available_for_user(user).select(:id) + with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id) + + from_union([with_issues_enabled, with_merge_requests_enabled]).select(:id) + end end def all_pipelines |