summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-04-29 08:23:17 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-04-29 08:23:24 +0000
commit2234b4382091add4dfe8d44f4e0764bf64ff8c5e (patch)
tree2e16ea43616574e4612223b7cdb70322ce914648 /app
parent6c85cb2ff17cf4ea34372e84ef579734fd607cec (diff)
downloadgitlab-ce-2234b4382091add4dfe8d44f4e0764bf64ff8c5e.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/controllers/projects/pipeline_schedules_controller.rb7
-rw-r--r--app/models/issue.rb3
-rw-r--r--app/models/packages/package_file.rb1
-rw-r--r--app/models/project_feature.rb2
-rw-r--r--app/policies/ci/pipeline_schedule_policy.rb5
5 files changed, 14 insertions, 4 deletions
diff --git a/app/controllers/projects/pipeline_schedules_controller.rb b/app/controllers/projects/pipeline_schedules_controller.rb
index ac94cc001dd..f6171403667 100644
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -7,7 +7,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
before_action :authorize_play_pipeline_schedule!, only: [:play]
before_action :authorize_read_pipeline_schedule!
before_action :authorize_create_pipeline_schedule!, only: [:new, :create]
- before_action :authorize_update_pipeline_schedule!, except: [:index, :new, :create, :play]
+ before_action :authorize_update_pipeline_schedule!, only: [:edit, :update]
+ before_action :authorize_take_ownership_pipeline_schedule!, only: [:take_ownership]
before_action :authorize_admin_pipeline_schedule!, only: [:destroy]
feature_category :continuous_integration
@@ -108,6 +109,10 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
end
+ def authorize_take_ownership_pipeline_schedule!
+ return access_denied! unless can?(current_user, :take_ownership_pipeline_schedule, schedule)
+ end
+
def authorize_admin_pipeline_schedule!
return access_denied! unless can?(current_user, :admin_pipeline_schedule, schedule)
end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index c2b8b457049..484cceb9129 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -640,7 +640,8 @@ class Issue < ApplicationRecord
# Returns `true` if this Issue is visible to everybody.
def publicly_visible?
- project.public? && !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
+ project.public? && project.feature_available?(:issues, nil) &&
+ !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
end
def expire_etag_cache
diff --git a/app/models/packages/package_file.rb b/app/models/packages/package_file.rb
index b49e04f481c..3d56c563ec8 100644
--- a/app/models/packages/package_file.rb
+++ b/app/models/packages/package_file.rb
@@ -35,6 +35,7 @@ class Packages::PackageFile < ApplicationRecord
validates :file_name, presence: true
validates :file_name, uniqueness: { scope: :package }, if: -> { !pending_destruction? && package&.pypi? }
+ validates :file_sha256, format: { with: Gitlab::Regex.sha256_regex }, if: -> { package&.pypi? }, allow_nil: true
scope :recent, -> { order(id: :desc) }
scope :limit_recent, ->(limit) { recent.limit(limit) }
diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb
index 33783d31355..27692fe76f0 100644
--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -105,7 +105,7 @@ class ProjectFeature < ApplicationRecord
# that the user has access to the feature. It's important to use this scope with others
# that checks project authorizations first (e.g. `filter_by_feature_visibility`).
#
- # This method uses an optimised version of `with_feature_access_level` for
+ # This method uses an optimized version of `with_feature_access_level` for
# logged in users to more efficiently get private projects with the given
# feature.
def self.with_feature_available_for_user(feature, user)
diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb
index 2ef5ffd6a5a..3a674bfef92 100644
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -15,11 +15,14 @@ module Ci
rule { can?(:create_pipeline) }.enable :play_pipeline_schedule
rule { can?(:admin_pipeline) | (can?(:update_build) & owner_of_schedule) }.policy do
- enable :update_pipeline_schedule
enable :admin_pipeline_schedule
enable :read_pipeline_schedule_variables
end
+ rule { admin | (owner_of_schedule & can?(:update_build)) }.policy do
+ enable :update_pipeline_schedule
+ end
+
rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do
enable :take_ownership_pipeline_schedule
end