diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:48:05 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:48:05 +0000 |
commit | 3dd03a1a19e6b788ec1296044e28f7727e5149a6 (patch) | |
tree | 133f13a2c5bb0fbb7cc5706487b91134194b3870 /app | |
parent | 096459e2c2c8e3c17eb6e677091990adffe9af7d (diff) | |
download | gitlab-ce-3dd03a1a19e6b788ec1296044e28f7727e5149a6.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee
Diffstat (limited to 'app')
-rw-r--r-- | app/finders/environments/environment_names_finder.rb | 11 | ||||
-rw-r--r-- | app/models/project_feature.rb | 3 | ||||
-rw-r--r-- | app/views/explore/projects/page_out_of_bounds.html.haml | 2 |
3 files changed, 4 insertions, 12 deletions
diff --git a/app/finders/environments/environment_names_finder.rb b/app/finders/environments/environment_names_finder.rb index d4928f0fc84..ffb689f45e2 100644 --- a/app/finders/environments/environment_names_finder.rb +++ b/app/finders/environments/environment_names_finder.rb @@ -32,18 +32,9 @@ module Environments end def namespace_environments - # We assume reporter access is needed for the :read_environment permission - # here. This expection is also present in - # IssuableFinder::Params#min_access_level, which is used for filtering out - # merge requests that don't have the right permissions. - # - # We use this approach so we don't need to load every project into memory - # just to verify if we can see their environments. Doing so would not be - # efficient, and possibly mess up pagination if certain projects are not - # meant to be visible. projects = project_or_group .all_projects - .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) + .filter_by_feature_visibility(:environments, current_user) Environment.for_project(projects) end diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index 053ccfac050..52e623db7b0 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -36,7 +36,8 @@ class ProjectFeature < ApplicationRecord merge_requests: Gitlab::Access::REPORTER, metrics_dashboard: Gitlab::Access::REPORTER, container_registry: Gitlab::Access::REPORTER, - package_registry: Gitlab::Access::REPORTER + package_registry: Gitlab::Access::REPORTER, + environments: Gitlab::Access::REPORTER }.freeze PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT = { repository: Gitlab::Access::REPORTER }.freeze diff --git a/app/views/explore/projects/page_out_of_bounds.html.haml b/app/views/explore/projects/page_out_of_bounds.html.haml index ef5ee2c679e..e13768a3ccb 100644 --- a/app/views/explore/projects/page_out_of_bounds.html.haml +++ b/app/views/explore/projects/page_out_of_bounds.html.haml @@ -18,5 +18,5 @@ %h5= _("Maximum page reached") %p= _("Sorry, you have exceeded the maximum browsable page number. Please use the API to explore further.") - = render Pajamas::ButtonComponent.new(href: request.params.merge(page: @max_page_number)) do + = render Pajamas::ButtonComponent.new(href: safe_params.merge(page: @max_page_number)) do = _("Back to page %{number}") % { number: @max_page_number } |