diff options
| author | Mark Chao <mchao@gitlab.com> | 2019-09-16 17:50:41 +0800 |
|---|---|---|
| committer | Mark Chao <mchao@gitlab.com> | 2019-10-01 17:18:17 +1300 |
| commit | b9c5d6dbde01c8d99324d0420937cded718b8d16 (patch) | |
| tree | 11edbab1d7d6df391e448217408d093a75672895 /app | |
| parent | 74a9fe358d53cacd313e9eda988c49d4a8c661b4 (diff) | |
| download | gitlab-ce-b9c5d6dbde01c8d99324d0420937cded718b8d16.tar.gz | |
EE port: Fix private feature Elasticsearch leak
Add spec to test different combinations.
Accept string for required_minimum_access_level
Allow more flexible project membership query
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/project.rb | 7 | ||||
| -rw-r--r-- | app/models/project_feature.rb | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index 8efe4b06f87..a1bd5edaba9 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -459,7 +459,7 @@ class Project < ApplicationRecord # the feature is either public, enabled, or internal with permission for the user. # Note: this scope doesn't enforce that the user has access to the projects, it just checks # that the user has access to the feature. It's important to use this scope with others - # that checks project authorizations first. + # that checks project authorizations first (e.g. `filter_by_feature_visibility`). # # This method uses an optimised version of `with_feature_access_level` for # logged in users to more efficiently get private projects with the given @@ -487,6 +487,11 @@ class Project < ApplicationRecord end end + # This scope returns projects where user has access to both the project and the feature. + def self.filter_by_feature_visibility(feature, user) + with_feature_available_for_user(feature, user).public_or_visible_to_user(user) + end + scope :active, -> { joins(:issues, :notes, :merge_requests).order('issues.created_at, notes.created_at, merge_requests.created_at DESC') } scope :abandoned, -> { where('projects.last_activity_at < ?', 6.months.ago) } diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index 78e82955342..dc7bfb92e09 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -62,7 +62,8 @@ class ProjectFeature < ApplicationRecord private def ensure_feature!(feature) - feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name) + feature = feature.model_name.plural if feature.respond_to?(:model_name) + feature = feature.to_sym raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature) feature |