diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-05-20 11:08:31 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-05-21 10:40:49 -0300 |
commit | fcc2bc3bee093d81571ca0d51d32e1ca127a351a (patch) | |
tree | d078fcc472e902d1eea7bb360ab9add1f233afff /app | |
parent | 406fe0e9f2908d1fb1736ff75686434a73576ad6 (diff) | |
download | gitlab-ce-fcc2bc3bee093d81571ca0d51d32e1ca127a351a.tar.gz |
Resolve: Milestones leaked via search API
Fix milestone titles being leaked using search API
when users cannot read milestones
Diffstat (limited to 'app')
-rw-r--r-- | app/models/project.rb | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index 68b5c299df4..0b6c5d756dd 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -407,6 +407,7 @@ class Project < ApplicationRecord scope :with_builds_enabled, -> { with_feature_enabled(:builds) } scope :with_issues_enabled, -> { with_feature_enabled(:issues) } scope :with_issues_available_for_user, ->(current_user) { with_feature_available_for_user(:issues, current_user) } + scope :with_merge_requests_available_for_user, ->(current_user) { with_feature_available_for_user(:merge_requests, current_user) } scope :with_merge_requests_enabled, -> { with_feature_enabled(:merge_requests) } scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct } @@ -597,6 +598,17 @@ class Project < ApplicationRecord def group_ids joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id) end + + # Returns ids of projects with milestones available for given user + # + # Used on queries to find milestones which user can see + # For example: Milestone.where(project_id: ids_with_milestone_available_for(user)) + def ids_with_milestone_available_for(user) + with_issues_enabled = with_issues_available_for_user(user).select(:id) + with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id) + + from_union([with_issues_enabled, with_merge_requests_enabled]).select(:id) + end end def all_pipelines |