Backport part of c777bb91fd7 and 4074cb3b7c16 from EE

Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Rémy Coutable <remy@rymai.me> 2017-09-15 18:20:29 +0200
committer: Rémy Coutable <remy@rymai.me> 2017-09-26 16:21:17 +0200
commit: 951a5cca6202ed64de0687205d13b2b03346e514 (patch)
tree: b74cd17d2ecfba38ca70145820d2f9c20ac12f86 /app
parent: 6528d52afedf7c9fd9db4ae9e101060cfcbe53d0 (diff)
download: gitlab-ce-951a5cca6202ed64de0687205d13b2b03346e514.tar.gz
2 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb
index 8921d55c3d0..3181f517087 100644
--- a/app/controllers/concerns/issuable_collections.rb
+++ b/app/controllers/concerns/issuable_collections.rb
@@ -106,7 +106,7 @@ module IssuableCollections
       # @filter_params[:authorized_only] = true
     end
 
-    @filter_params
+    @filter_params.permit(IssuableFinder::VALID_PARAMS)
   end
 
   def set_default_state
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 0a2e3c709d9..673cd36046d 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -25,6 +25,10 @@ class IssuableFinder
 
   NONE = '0'.freeze
 
+  SCALAR_PARAMS = %i(scope state group_id project_id milestone_title assignee_id search label_name sort assignee_username author_id author_username authorized_only due_date iids non_archived weight).freeze
+  ARRAY_PARAMS = { label_name: [], iids: [], assignee_username: [] }.freeze
+  VALID_PARAMS = (SCALAR_PARAMS + [ARRAY_PARAMS]).freeze
+
   attr_accessor :current_user, :params
 
   def initialize(current_user, params = {})
author	Rémy Coutable <remy@rymai.me>	2017-09-15 18:20:29 +0200
committer	Rémy Coutable <remy@rymai.me>	2017-09-26 16:21:17 +0200
commit	951a5cca6202ed64de0687205d13b2b03346e514 (patch)
tree	b74cd17d2ecfba38ca70145820d2f9c20ac12f86 /app
parent	6528d52afedf7c9fd9db4ae9e101060cfcbe53d0 (diff)
download	gitlab-ce-951a5cca6202ed64de0687205d13b2b03346e514.tar.gz