diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-05-20 11:08:31 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-05-20 11:08:34 -0300 |
commit | b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch) | |
tree | f2ce52b008b39683db353f07723d14e104b0b250 /lib/gitlab/search_results.rb | |
parent | 1602ce28c65125f045e36c4420dafd6a7788d37c (diff) | |
download | gitlab-ce-b70b43d07ec27c6410e4a8d7ad417662a8823f8f.tar.gz |
Resolve: Milestones leaked via search API
Fix milestone titles being leaked using search API
when users cannot read milestones
Diffstat (limited to 'lib/gitlab/search_results.rb')
-rw-r--r-- | lib/gitlab/search_results.rb | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb index 4a097a00101..7c1e6b1baff 100644 --- a/lib/gitlab/search_results.rb +++ b/lib/gitlab/search_results.rb @@ -103,9 +103,11 @@ module Gitlab # rubocop: disable CodeReuse/ActiveRecord def milestones - milestones = Milestone.where(project_id: project_ids_relation) - milestones = milestones.search(query) - milestones.reorder('milestones.updated_at DESC') + milestones = Milestone.search(query) + + milestones = filter_milestones_by_project(milestones) + + milestones.reorder('updated_at DESC') end # rubocop: enable CodeReuse/ActiveRecord @@ -123,6 +125,26 @@ module Gitlab 'projects' end + # Filter milestones by authorized projects. + # For performance reasons project_id is being plucked + # to be used on a smaller query. + # + # rubocop: disable CodeReuse/ActiveRecord + def filter_milestones_by_project(milestones) + project_ids = + milestones.where(project_id: project_ids_relation) + .select(:project_id).distinct + .pluck(:project_id) + + return Milestone.none if project_ids.nil? + + authorized_project_ids_relation = + Project.where(id: project_ids).ids_with_milestone_available_for(current_user) + + milestones.where(project_id: authorized_project_ids_relation) + end + # rubocop: enable CodeReuse/ActiveRecord + # rubocop: disable CodeReuse/ActiveRecord def project_ids_relation limit_projects.select(:id).reorder(nil) |