summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-09-30 23:32:30 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-09-30 23:32:30 +0000
commit2f8d8dca22eca9937cee14765ceadc2aee266616 (patch)
tree1b5142eaedf21ebe5c6911e30e0e99d2833620e0 /app
parent4d243f5ca3709f28f9de96937e3c2ac736deb4bd (diff)
downloadgitlab-ce-2f8d8dca22eca9937cee14765ceadc2aee266616.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/graphql/mutations/metrics/dashboard/annotations/base.rb2
-rw-r--r--app/services/members/base_service.rb5
-rw-r--r--app/services/todos/destroy/entity_leave_service.rb45
3 files changed, 43 insertions, 9 deletions
diff --git a/app/graphql/mutations/metrics/dashboard/annotations/base.rb b/app/graphql/mutations/metrics/dashboard/annotations/base.rb
index 3126267da64..ad52f84378d 100644
--- a/app/graphql/mutations/metrics/dashboard/annotations/base.rb
+++ b/app/graphql/mutations/metrics/dashboard/annotations/base.rb
@@ -9,7 +9,7 @@ module Mutations
# This method is defined here in order to be used by `authorized_find!` in the subclasses.
def find_object(id:)
- GitlabSchema.object_from_id(id)
+ GitlabSchema.object_from_id(id, expected_type: ::Metrics::Dashboard::Annotation)
end
end
end
diff --git a/app/services/members/base_service.rb b/app/services/members/base_service.rb
index 5d69418fb7d..3f55f661d9b 100644
--- a/app/services/members/base_service.rb
+++ b/app/services/members/base_service.rb
@@ -7,6 +7,11 @@ module Members
def initialize(current_user = nil, params = {})
@current_user = current_user
@params = params
+
+ # could be a string, force to an integer, part of fix
+ # https://gitlab.com/gitlab-org/gitlab/-/issues/219496
+ # Allow the ArgumentError to be raised if it can't be converted to an integer.
+ @params[:access_level] = Integer(@params[:access_level]) if @params[:access_level]
end
def after_execute(args)
diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb
index 4743e9b02ce..0c0548a17a1 100644
--- a/app/services/todos/destroy/entity_leave_service.rb
+++ b/app/services/todos/destroy/entity_leave_service.rb
@@ -52,7 +52,14 @@ module Todos
# rubocop: disable CodeReuse/ActiveRecord
def remove_project_todos
- Todo.where(project_id: non_authorized_projects, user_id: user.id).delete_all
+ # Issues are viewable by guests (even in private projects), so remove those todos
+ # from projects without guest access
+ Todo.where(project_id: non_authorized_guest_projects, user_id: user.id)
+ .delete_all
+
+ # MRs require reporter access, so remove those todos that are not authorized
+ Todo.where(project_id: non_authorized_reporter_projects, target_type: MergeRequest.name, user_id: user.id)
+ .delete_all
end
# rubocop: enable CodeReuse/ActiveRecord
@@ -68,7 +75,7 @@ module Todos
when Project
{ id: entity.id }
when Namespace
- { namespace_id: non_member_groups }
+ { namespace_id: non_authorized_reporter_groups }
end
Project.where(condition)
@@ -76,8 +83,32 @@ module Todos
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
- def non_authorized_projects
- projects.where('id NOT IN (?)', user.authorized_projects.select(:id))
+ def authorized_reporter_projects
+ user.authorized_projects(Gitlab::Access::REPORTER).select(:id)
+ end
+ # rubocop: enable CodeReuse/ActiveRecord
+
+ # rubocop: disable CodeReuse/ActiveRecord
+ def authorized_guest_projects
+ user.authorized_projects(Gitlab::Access::GUEST).select(:id)
+ end
+ # rubocop: enable CodeReuse/ActiveRecord
+
+ # rubocop: disable CodeReuse/ActiveRecord
+ def non_authorized_reporter_projects
+ projects.where('id NOT IN (?)', authorized_reporter_projects)
+ end
+ # rubocop: enable CodeReuse/ActiveRecord
+
+ # rubocop: disable CodeReuse/ActiveRecord
+ def non_authorized_guest_projects
+ projects.where('id NOT IN (?)', authorized_guest_projects)
+ end
+ # rubocop: enable CodeReuse/ActiveRecord
+
+ # rubocop: disable CodeReuse/ActiveRecord
+ def authorized_reporter_groups
+ GroupsFinder.new(user, min_access_level: Gitlab::Access::REPORTER).execute.select(:id)
end
# rubocop: enable CodeReuse/ActiveRecord
@@ -91,9 +122,9 @@ module Todos
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
- def non_member_groups
+ def non_authorized_reporter_groups
entity.self_and_descendants.select(:id)
- .where('id NOT IN (?)', user.membership_groups.select(:id))
+ .where('id NOT IN (?)', authorized_reporter_groups)
end
# rubocop: enable CodeReuse/ActiveRecord
@@ -106,8 +137,6 @@ module Todos
# rubocop: disable CodeReuse/ActiveRecord
def confidential_issues
assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user.id)
- authorized_reporter_projects = user
- .authorized_projects(Gitlab::Access::REPORTER).select(:id)
Issue.where(project_id: projects, confidential: true)
.where('project_id NOT IN(?)', authorized_reporter_projects)