diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:11:15 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 14:11:34 +0000 |
| commit | 222fda90362a3be9e54323af32234d038b99908d (patch) | |
| tree | 9678d10e85608009dfe340c635f979e1e2bcc3a6 /app | |
| parent | 4279c892b46b4a9de9f0580cf011173e716ebf6c (diff) | |
| download | gitlab-ce-222fda90362a3be9e54323af32234d038b99908d.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/finders/ci/runner_jobs_finder.rb | 12 | ||||
| -rw-r--r-- | app/models/ci/project_mirror.rb | 2 | ||||
| -rw-r--r-- | app/models/user.rb | 14 |
3 files changed, 26 insertions, 2 deletions
diff --git a/app/finders/ci/runner_jobs_finder.rb b/app/finders/ci/runner_jobs_finder.rb index 9dc3c2a2427..b659eda6646 100644 --- a/app/finders/ci/runner_jobs_finder.rb +++ b/app/finders/ci/runner_jobs_finder.rb @@ -6,13 +6,15 @@ module Ci ALLOWED_INDEXED_COLUMNS = %w[id].freeze - def initialize(runner, params = {}) + def initialize(runner, current_user, params = {}) @runner = runner + @user = current_user @params = params end def execute items = @runner.builds + items = by_permission(items) items = by_status(items) sort_items(items) end @@ -20,6 +22,14 @@ module Ci private # rubocop: disable CodeReuse/ActiveRecord + def by_permission(items) + return items if @user.can_read_all_resources? + + items.for_project(@user.authorized_project_mirrors(Gitlab::Access::REPORTER).select(:project_id)) + end + # rubocop: enable CodeReuse/ActiveRecord + + # rubocop: disable CodeReuse/ActiveRecord def by_status(items) return items unless Ci::HasStatus::AVAILABLE_STATUSES.include?(params[:status]) diff --git a/app/models/ci/project_mirror.rb b/app/models/ci/project_mirror.rb index 9000d1791a6..15a161d5b7c 100644 --- a/app/models/ci/project_mirror.rb +++ b/app/models/ci/project_mirror.rb @@ -4,6 +4,8 @@ module Ci # This model represents a shadow table of the main database's projects table. # It allows us to navigate the project and namespace hierarchy on the ci database. class ProjectMirror < ApplicationRecord + include FromUnion + belongs_to :project scope :by_namespace_id, -> (namespace_id) { where(namespace_id: namespace_id) } diff --git a/app/models/user.rb b/app/models/user.rb index c86fb56795c..40096dfa411 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1657,6 +1657,14 @@ class User < ApplicationRecord true end + def authorized_project_mirrors(level) + projects = Ci::ProjectMirror.by_project_id(ci_project_mirrors_for_project_members(level)) + + namespace_projects = Ci::ProjectMirror.by_namespace_id(ci_namespace_mirrors_for_group_members(level).select(:namespace_id)) + + Ci::ProjectMirror.from_union([projects, namespace_projects]) + end + def ci_owned_runners @ci_owned_runners ||= begin Ci::Runner @@ -2113,6 +2121,10 @@ class User < ApplicationRecord end # rubocop: enable CodeReuse/ServiceClass + def ci_project_mirrors_for_project_members(level) + project_members.where('access_level >= ?', level).pluck(:source_id) + end + def notification_email_verified return if notification_email.blank? || temp_oauth_email? @@ -2250,7 +2262,7 @@ class User < ApplicationRecord end def ci_owned_project_runners_from_project_members - project_ids = project_members.where('access_level >= ?', Gitlab::Access::MAINTAINER).pluck(:source_id) + project_ids = ci_project_mirrors_for_project_members(Gitlab::Access::MAINTAINER) Ci::Runner .joins(:runner_projects) |