diff options
| author | Mark Chao <mchao@gitlab.com> | 2019-09-16 17:50:41 +0800 |
|---|---|---|
| committer | Mark Chao <mchao@gitlab.com> | 2019-10-01 17:16:07 +1300 |
| commit | f132561154314b6fc9050fc7f3d0baf34c13c44b (patch) | |
| tree | 3467e7d8566929485749a57e32223d2031d86a06 /app | |
| parent | 5a54a8d9be626ef1a708f3ffbc80b39209c07351 (diff) | |
| download | gitlab-ce-f132561154314b6fc9050fc7f3d0baf34c13c44b.tar.gz | |
EE port: Fix private feature Elasticsearch leak
Add spec to test different combinations.
Accept string for required_minimum_access_level
Allow more flexible project membership query
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/project.rb | 7 | ||||
| -rw-r--r-- | app/models/project_feature.rb | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index 7c065db9829..5c3bf4a3b5d 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -468,7 +468,7 @@ class Project < ApplicationRecord # the feature is either public, enabled, or internal with permission for the user. # Note: this scope doesn't enforce that the user has access to the projects, it just checks # that the user has access to the feature. It's important to use this scope with others - # that checks project authorizations first. + # that checks project authorizations first (e.g. `filter_by_feature_visibility`). # # This method uses an optimised version of `with_feature_access_level` for # logged in users to more efficiently get private projects with the given @@ -496,6 +496,11 @@ class Project < ApplicationRecord end end + # This scope returns projects where user has access to both the project and the feature. + def self.filter_by_feature_visibility(feature, user) + with_feature_available_for_user(feature, user).public_or_visible_to_user(user) + end + scope :active, -> { joins(:issues, :notes, :merge_requests).order('issues.created_at, notes.created_at, merge_requests.created_at DESC') } scope :abandoned, -> { where('projects.last_activity_at < ?', 6.months.ago) } diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index 13b20b1fead..2013f620b5b 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -62,7 +62,8 @@ class ProjectFeature < ApplicationRecord private def ensure_feature!(feature) - feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name) + feature = feature.model_name.plural if feature.respond_to?(:model_name) + feature = feature.to_sym raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature) feature |