summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-12-04 16:53:44 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-12-04 16:53:44 +0000
commit4e3a54f835daa49bf784d6e6ad91e90116a24dc8 (patch)
tree8e1f7be7a80da2de02b2da0ed88f81b2f6b6de8c /app
parentaefe6486cf0d193067112b90145083d73b96bfef (diff)
downloadgitlab-ce-4e3a54f835daa49bf784d6e6ad91e90116a24dc8.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/controllers/users_controller.rb2
-rw-r--r--app/finders/starred_projects_finder.rb11
-rw-r--r--app/services/todos/destroy/entity_leave_service.rb6
-rw-r--r--app/validators/zoom_url_validator.rb7
-rw-r--r--app/views/devise/confirmations/new.html.haml2
5 files changed, 23 insertions, 5 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 672f36dedc0..05573255066 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -19,7 +19,7 @@ class UsersController < ApplicationController
prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
before_action :user, except: [:exists, :suggests]
before_action :authorize_read_user_profile!,
- only: [:calendar, :calendar_activities, :groups, :projects, :contributed_projects, :starred_projects, :snippets]
+ only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets]
feature_category :users
diff --git a/app/finders/starred_projects_finder.rb b/app/finders/starred_projects_finder.rb
index fcb469d1d17..e209960c471 100644
--- a/app/finders/starred_projects_finder.rb
+++ b/app/finders/starred_projects_finder.rb
@@ -1,11 +1,22 @@
# frozen_string_literal: true
class StarredProjectsFinder < ProjectsFinder
+ include Gitlab::Allowable
+
def initialize(user, params: {}, current_user: nil)
+ @user = user
+
super(
params: params,
current_user: current_user,
project_ids_relation: user.starred_projects.select(:id)
)
end
+
+ def execute
+ # Do not show starred projects if the user has a private profile.
+ return Project.none unless can?(current_user, :read_user_profile, @user)
+
+ super
+ end
end
diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb
index 97c56b84434..7cfedc2233a 100644
--- a/app/services/todos/destroy/entity_leave_service.rb
+++ b/app/services/todos/destroy/entity_leave_service.rb
@@ -22,7 +22,7 @@ module Todos
# if at least reporter, all entities including confidential issues can be accessed
return if user_has_reporter_access?
- remove_confidential_issue_todos
+ remove_confidential_resource_todos
if entity.private?
remove_project_todos
@@ -40,7 +40,7 @@ module Todos
end
end
- def remove_confidential_issue_todos
+ def remove_confidential_resource_todos
Todo
.for_target(confidential_issues.select(:id))
.for_type(Issue.name)
@@ -133,3 +133,5 @@ module Todos
end
end
end
+
+Todos::Destroy::EntityLeaveService.prepend_if_ee('EE::Todos::Destroy::EntityLeaveService')
diff --git a/app/validators/zoom_url_validator.rb b/app/validators/zoom_url_validator.rb
index dc4ca6b9501..e0f8e4e34a2 100644
--- a/app/validators/zoom_url_validator.rb
+++ b/app/validators/zoom_url_validator.rb
@@ -5,8 +5,13 @@
# Custom validator for zoom urls
#
class ZoomUrlValidator < ActiveModel::EachValidator
+ ALLOWED_SCHEMES = %w(https).freeze
+
def validate_each(record, attribute, value)
- return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1
+ links_count = Gitlab::ZoomLinkExtractor.new(value).links.size
+ valid = Gitlab::UrlSanitizer.valid?(value, allowed_schemes: ALLOWED_SCHEMES)
+
+ return if links_count == 1 && valid
record.errors.add(:url, 'must contain one valid Zoom URL')
end
diff --git a/app/views/devise/confirmations/new.html.haml b/app/views/devise/confirmations/new.html.haml
index 49112ed6cd5..770a29a629e 100644
--- a/app/views/devise/confirmations/new.html.haml
+++ b/app/views/devise/confirmations/new.html.haml
@@ -6,7 +6,7 @@
= render "devise/shared/error_messages", resource: resource
.form-group
= f.label :email
- = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.'
+ = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.', value: nil
.clearfix
= f.submit "Resend", class: 'gl-button btn btn-success'