diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-02-21 12:50:13 +0100 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-02-22 17:11:36 +0100 |
commit | 08266ba0a14ec296b51cda6b54d1648985a11adf (patch) | |
tree | d5e611b7ba5c7fabe77114918e3b74fd1a26d5e9 /lib | |
parent | 148816cd67a314f17e79c107270cc708501bdd39 (diff) | |
download | gitlab-ce-08266ba0a14ec296b51cda6b54d1648985a11adf.tar.gz |
Use `Redactor` to hide cross project informationbvl-external-auth-port
Since the redactor can be run on multiple documents at once and
query results are stored in the request store.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/cross_project_issuable_information_filter.rb | 40 | ||||
-rw-r--r-- | lib/banzai/pipeline/post_process_pipeline.rb | 1 | ||||
-rw-r--r-- | lib/banzai/redactor.rb | 21 |
3 files changed, 20 insertions, 42 deletions
diff --git a/lib/banzai/filter/cross_project_issuable_information_filter.rb b/lib/banzai/filter/cross_project_issuable_information_filter.rb deleted file mode 100644 index c2c08b4fd6a..00000000000 --- a/lib/banzai/filter/cross_project_issuable_information_filter.rb +++ /dev/null @@ -1,40 +0,0 @@ -module Banzai - module Filter - # HTML filter that removes sensitive information from cross project - # issue references. - # - # The link to the issue or merge request is preserved only the IID is shown, - # but all other info is removed. - class CrossProjectIssuableInformationFilter < HTML::Pipeline::Filter - def call - return doc if can_read_cross_project? - - extractor = Banzai::IssuableExtractor.new(project, current_user) - issuables = extractor.extract([doc]) - - issuables.each do |node, issuable| - next if issuable.project == project - - node['class'] = node['class'].gsub('has-tooltip', '') - node['title'] = nil - end - - doc - end - - private - - def project - context[:project] - end - - def can_read_cross_project? - Ability.allowed?(current_user, :read_cross_project) - end - - def current_user - context[:current_user] - end - end - end -end diff --git a/lib/banzai/pipeline/post_process_pipeline.rb b/lib/banzai/pipeline/post_process_pipeline.rb index 4cf97e2d9d2..dcd52bc03c7 100644 --- a/lib/banzai/pipeline/post_process_pipeline.rb +++ b/lib/banzai/pipeline/post_process_pipeline.rb @@ -6,7 +6,6 @@ module Banzai Filter::RedactorFilter, Filter::RelativeLinkFilter, Filter::IssuableStateFilter, - Filter::CrossProjectIssuableInformationFilter, Filter::AbsoluteLinkFilter ] end diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb index de3ebe72720..827df7c08ae 100644 --- a/lib/banzai/redactor.rb +++ b/lib/banzai/redactor.rb @@ -19,8 +19,9 @@ module Banzai # # Returns the documents passed as the first argument. def redact(documents) - all_document_nodes = document_nodes(documents) + redact_cross_project_references(documents) unless can_read_cross_project? + all_document_nodes = document_nodes(documents) redact_document_nodes(all_document_nodes) end @@ -51,6 +52,18 @@ module Banzai metadata end + def redact_cross_project_references(documents) + extractor = Banzai::IssuableExtractor.new(project, user) + issuables = extractor.extract(documents) + + issuables.each do |node, issuable| + next if issuable.project == project + + node['class'] = node['class'].gsub('has-tooltip', '') + node['title'] = nil + end + end + # Returns the nodes visible to the current user. # # nodes - The input nodes to check. @@ -78,5 +91,11 @@ module Banzai { document: document, nodes: Querying.css(document, 'a.gfm[data-reference-type]') } end end + + private + + def can_read_cross_project? + Ability.allowed?(user, :read_cross_project) + end end end |