summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 13:06:17 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 13:06:17 +0000
commit8cf3b9ab464420af642931a89f5fb24c65b1338d (patch)
treebbe9873aef1a15764fe668258f6aea4e0efac2eb /app
parentc1c828ac7f7b3c2e51d81921bbef9d474cd4d0a4 (diff)
downloadgitlab-ce-8cf3b9ab464420af642931a89f5fb24c65b1338d.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/services/concerns/update_visibility_level.rb12
-rw-r--r--app/services/groups/update_service.rb4
-rw-r--r--app/services/projects/update_service.rb2
3 files changed, 11 insertions, 7 deletions
diff --git a/app/services/concerns/update_visibility_level.rb b/app/services/concerns/update_visibility_level.rb
index b7a161f5089..4cd14a2fb53 100644
--- a/app/services/concerns/update_visibility_level.rb
+++ b/app/services/concerns/update_visibility_level.rb
@@ -1,13 +1,17 @@
# frozen_string_literal: true
module UpdateVisibilityLevel
+ # check that user is allowed to set specified visibility_level
def valid_visibility_level_change?(target, new_visibility)
- # check that user is allowed to set specified visibility_level
- if new_visibility && new_visibility.to_i != target.visibility_level
+ return true unless new_visibility
+
+ new_visibility_level = Gitlab::VisibilityLevel.level_value(new_visibility)
+
+ if new_visibility_level != target.visibility_level_value
unless can?(current_user, :change_visibility_level, target) &&
- Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
+ Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility_level)
- deny_visibility_level(target, new_visibility)
+ deny_visibility_level(target, new_visibility_level)
return false
end
end
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 1ad43b051be..2d6334251ad 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -15,7 +15,7 @@ module Groups
return false
end
- return false unless valid_visibility_level_change?(group, params[:visibility_level])
+ return false unless valid_visibility_level_change?(group, group.visibility_attribute_value(params))
return false unless valid_share_with_group_lock_change?
@@ -77,7 +77,7 @@ module Groups
end
def after_update
- if group.previous_changes.include?(:visibility_level) && group.private?
+ if group.previous_changes.include?(group.visibility_level_field) && group.private?
# don't enqueue immediately to prevent todos removal in case of a mistake
TodosDestroyer::GroupPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, group.id)
end
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index a32e80af4b1..b34ecf06e52 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -49,7 +49,7 @@ module Projects
private
def validate!
- unless valid_visibility_level_change?(project, params[:visibility_level])
+ unless valid_visibility_level_change?(project, project.visibility_attribute_value(params))
raise ValidationError, s_('UpdateProject|New visibility level not allowed!')
end