Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

5 files changed, 21 insertions, 21 deletions

diff --git a/app/models/concerns/bulk_member_access_load.rb b/app/models/concerns/bulk_member_access_load.rb
index e252ca36629..927d6ccb28f 100644
--- a/app/models/concerns/bulk_member_access_load.rb
+++ b/app/models/concerns/bulk_member_access_load.rb
@@ -9,11 +9,15 @@ module BulkMemberAccessLoad
     # Determine the maximum access level for a group of resources in bulk.
     #
     # Returns a Hash mapping resource ID -> maximum access level.
-    def max_member_access_for_resource_ids(resource_klass, resource_ids, memoization_index = self.id, &block)
+    def max_member_access_for_resource_ids(resource_klass, resource_ids, &block)
       raise 'Block is mandatory' unless block_given?
 
+      memoization_index = self.id
+      memoization_class = self.class
+
       resource_ids = resource_ids.uniq
-      access = load_access_hash(resource_klass, memoization_index)
+      memo_id = "#{memoization_class}:#{memoization_index}"
+      access = load_access_hash(resource_klass, memo_id)
 
       # Look up only the IDs we need
       resource_ids -= access.keys
@@ -33,8 +37,8 @@ module BulkMemberAccessLoad
       access
     end
 
-    def merge_value_to_request_store(resource_klass, resource_id, memoization_index, value)
-      max_member_access_for_resource_ids(resource_klass, [resource_id], memoization_index) do
+    def merge_value_to_request_store(resource_klass, resource_id, value)
+      max_member_access_for_resource_ids(resource_klass, [resource_id]) do
         { resource_id => value }
       end
     end
@@ -45,16 +49,13 @@ module BulkMemberAccessLoad
       "max_member_access_for_#{klass.name.underscore.pluralize}:#{memoization_index}"
     end
 
-    def load_access_hash(resource_klass, memoization_index)
-      key = max_member_access_for_resource_key(resource_klass, memoization_index)
+    def load_access_hash(resource_klass, memo_id)
+      return {} unless Gitlab::SafeRequestStore.active?
 
-      access = {}
-      if Gitlab::SafeRequestStore.active?
-        Gitlab::SafeRequestStore[key] ||= {}
-        access = Gitlab::SafeRequestStore[key]
-      end
+      key = max_member_access_for_resource_key(resource_klass, memo_id)
+      Gitlab::SafeRequestStore[key] ||= {}
 
-      access
+      Gitlab::SafeRequestStore[key]
     end
   end
 end
diff --git a/app/models/concerns/diff_positionable_note.rb b/app/models/concerns/diff_positionable_note.rb
index cea3c7d119c..b13ca4bf06e 100644
--- a/app/models/concerns/diff_positionable_note.rb
+++ b/app/models/concerns/diff_positionable_note.rb
@@ -12,6 +12,7 @@ module DiffPositionableNote
     serialize :change_position, Gitlab::Diff::Position # rubocop:disable Cop/ActiveRecordSerialize
 
     validate :diff_refs_match_commit, if: :for_commit?
+    validates :position, json_schema: { filename: "position", hash_conversion: true }
   end
 
   %i(original_position position change_position).each do |meth|
diff --git a/app/models/preloaders/user_max_access_level_in_groups_preloader.rb b/app/models/preloaders/user_max_access_level_in_groups_preloader.rb
index bdd76d39ec1..2cd54b975f3 100644
--- a/app/models/preloaders/user_max_access_level_in_groups_preloader.rb
+++ b/app/models/preloaders/user_max_access_level_in_groups_preloader.rb
@@ -4,8 +4,6 @@ module Preloaders
   # This class preloads the max access level (role) for the user within the given groups and
   # stores the values in requests store.
   class UserMaxAccessLevelInGroupsPreloader
-    include BulkMemberAccessLoad
-
     def initialize(groups, user)
       @groups = groups
       @user = user
@@ -27,8 +25,9 @@ module Preloaders
                                      .group(:source_id)
                                      .maximum(:access_level)
 
-      group_memberships.each do |group_id, max_access_level|
-        merge_value_to_request_store(User, @user.id, group_id, max_access_level)
+      @groups.each do |group|
+        access_level = group_memberships[group.id]
+        group.merge_value_to_request_store(User, @user.id, access_level) if access_level.present?
       end
     end
 
@@ -41,7 +40,7 @@ module Preloaders
 
       @groups.each do |group|
         max_access_level = max_access_levels[group.id] || Gitlab::Access::NO_ACCESS
-        merge_value_to_request_store(User, @user.id, group.id, max_access_level)
+        group.merge_value_to_request_store(User, @user.id, max_access_level)
       end
     end
 
diff --git a/app/models/project.rb b/app/models/project.rb
index 2288850553c..45999da7839 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -36,6 +36,7 @@ class Project < ApplicationRecord
   include Repositories::CanHousekeepRepository
   include EachBatch
   include GitlabRoutingHelper
+  include BulkMemberAccessLoad
 
   extend Gitlab::Cache::RequestCache
   extend Gitlab::Utils::Override
diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 94904e9792f..8061554006d 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class ProjectTeam
-  include BulkMemberAccessLoad
-
   attr_accessor :project
 
   def initialize(project)
@@ -171,7 +169,7 @@ class ProjectTeam
   #
   # Returns a Hash mapping user ID -> maximum access level.
   def max_member_access_for_user_ids(user_ids)
-    max_member_access_for_resource_ids(User, user_ids, project.id) do |user_ids|
+    project.max_member_access_for_resource_ids(User, user_ids) do |user_ids|
       project.project_authorizations
              .where(user: user_ids)
              .group(:user_id)
@@ -180,7 +178,7 @@ class ProjectTeam
   end
 
   def write_member_access_for_user_id(user_id, project_access_level)
-    merge_value_to_request_store(User, user_id, project.id, project_access_level)
+    project.merge_value_to_request_store(User, user_id, project_access_level)
   end
 
   def max_member_access(user_id)