diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:22 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:28 +0000 |
| commit | 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch) | |
| tree | 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /app | |
| parent | de222caa576cab3d0894c65531f5822f205877d5 (diff) | |
| download | gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/assets/javascripts/gfm_auto_complete.js | 2 | ||||
| -rw-r--r-- | app/controllers/groups/application_controller.rb | 6 | ||||
| -rw-r--r-- | app/controllers/groups/group_members_controller.rb | 1 | ||||
| -rw-r--r-- | app/policies/group_policy.rb | 9 |
4 files changed, 17 insertions, 1 deletions
diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js index b1af1ad797b..146255df31f 100644 --- a/app/assets/javascripts/gfm_auto_complete.js +++ b/app/assets/javascripts/gfm_auto_complete.js @@ -955,7 +955,7 @@ GfmAutoComplete.Milestones = { }; GfmAutoComplete.Contacts = { templateFunction({ email, firstName, lastName }) { - return `<li><small>${firstName} ${lastName}</small> ${escape(email)}</li>`; + return `<li><small>${escape(firstName)} ${escape(lastName)}</small> ${escape(email)}</li>`; }, }; diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb index bf72ade32d0..aec3247f4b2 100644 --- a/app/controllers/groups/application_controller.rb +++ b/app/controllers/groups/application_controller.rb @@ -67,6 +67,12 @@ class Groups::ApplicationController < ApplicationController end end + def authorize_read_group_member! + unless can?(current_user, :read_group_member, group) + render_403 + end + end + def build_canonical_path(group) params[:group_id] = group.to_param diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb index d325bb402e7..b95d8c87a4a 100644 --- a/app/controllers/groups/group_members_controller.rb +++ b/app/controllers/groups/group_members_controller.rb @@ -14,6 +14,7 @@ class Groups::GroupMembersController < Groups::ApplicationController # Authorize before_action :authorize_admin_group_member!, except: admin_not_required_endpoints + before_action :authorize_read_group_member!, only: :index skip_before_action :check_two_factor_requirement, only: :leave skip_cross_project_access_check :index, :update, :destroy, :request_access, diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index a4600c720a3..9aae295aea7 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -23,6 +23,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } condition(:migration_bot, scope: :user) { @user.migration_bot? } + condition(:can_read_group_member) { can_read_group_member? } desc "User is a project bot" condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST } @@ -128,6 +129,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~public_group & ~has_access }.prevent :read_counts + rule { ~can_read_group_member }.policy do + prevent :read_group_member + end + rule { ~can?(:read_group) }.policy do prevent :read_design_activity end @@ -316,6 +321,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy true end + def can_read_group_member? + !(@subject.private? && access_level == GroupMember::NO_ACCESS) + end + def resource_access_token_creation_allowed? resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end |