Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-12-04 16:47:02 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-12-04 16:47:02 +0000
commit: d00f14d73f41129f9d986d4bec32f1f927b525a6 (patch)
tree: 93a8f2296ead9161cd71899e4f410e929ae33fb4 /app/services/feature_flags
parent: 1b6a590b197788a06a1ff726ea61630a49b10412 (diff)
download: gitlab-ce-d00f14d73f41129f9d986d4bec32f1f927b525a6.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb
index ed5e2e794b4..d956d4b3357 100644
--- a/app/services/feature_flags/update_service.rb
+++ b/app/services/feature_flags/update_service.rb
@@ -10,6 +10,7 @@ module FeatureFlags
 
     def execute(feature_flag)
       return error('Access Denied', 403) unless can_update?(feature_flag)
+      return error('Not Found', 404) unless valid_user_list_ids?(feature_flag, user_list_ids(params))
 
       ActiveRecord::Base.transaction do
         feature_flag.assign_attributes(params)
@@ -87,5 +88,15 @@ module FeatureFlags
     def can_update?(feature_flag)
       Ability.allowed?(current_user, :update_feature_flag, feature_flag)
     end
+
+    def user_list_ids(params)
+      params.fetch(:strategies_attributes, [])
+        .select { |s| s[:user_list_id].present? }
+        .map { |s| s[:user_list_id] }
+    end
+
+    def valid_user_list_ids?(feature_flag, user_list_ids)
+      user_list_ids.empty? || ::Operations::FeatureFlags::UserList.belongs_to?(feature_flag.project_id, user_list_ids)
+    end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-12-04 16:47:02 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-12-04 16:47:02 +0000
commit	d00f14d73f41129f9d986d4bec32f1f927b525a6 (patch)
tree	93a8f2296ead9161cd71899e4f410e929ae33fb4 /app/services/feature_flags
parent	1b6a590b197788a06a1ff726ea61630a49b10412 (diff)
download	gitlab-ce-d00f14d73f41129f9d986d4bec32f1f927b525a6.tar.gz