summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBob Van Landuyt <bob@vanlanduyt.co>2018-02-21 12:50:13 +0100
committerBob Van Landuyt <bob@vanlanduyt.co>2018-02-22 17:11:36 +0100
commit08266ba0a14ec296b51cda6b54d1648985a11adf (patch)
treed5e611b7ba5c7fabe77114918e3b74fd1a26d5e9 /lib
parent148816cd67a314f17e79c107270cc708501bdd39 (diff)
downloadgitlab-ce-08266ba0a14ec296b51cda6b54d1648985a11adf.tar.gz
Use `Redactor` to hide cross project informationbvl-external-auth-port
Since the redactor can be run on multiple documents at once and query results are stored in the request store.
Diffstat (limited to 'lib')
-rw-r--r--lib/banzai/filter/cross_project_issuable_information_filter.rb40
-rw-r--r--lib/banzai/pipeline/post_process_pipeline.rb1
-rw-r--r--lib/banzai/redactor.rb21
3 files changed, 20 insertions, 42 deletions
diff --git a/lib/banzai/filter/cross_project_issuable_information_filter.rb b/lib/banzai/filter/cross_project_issuable_information_filter.rb
deleted file mode 100644
index c2c08b4fd6a..00000000000
--- a/lib/banzai/filter/cross_project_issuable_information_filter.rb
+++ /dev/null
@@ -1,40 +0,0 @@
-module Banzai
- module Filter
- # HTML filter that removes sensitive information from cross project
- # issue references.
- #
- # The link to the issue or merge request is preserved only the IID is shown,
- # but all other info is removed.
- class CrossProjectIssuableInformationFilter < HTML::Pipeline::Filter
- def call
- return doc if can_read_cross_project?
-
- extractor = Banzai::IssuableExtractor.new(project, current_user)
- issuables = extractor.extract([doc])
-
- issuables.each do |node, issuable|
- next if issuable.project == project
-
- node['class'] = node['class'].gsub('has-tooltip', '')
- node['title'] = nil
- end
-
- doc
- end
-
- private
-
- def project
- context[:project]
- end
-
- def can_read_cross_project?
- Ability.allowed?(current_user, :read_cross_project)
- end
-
- def current_user
- context[:current_user]
- end
- end
- end
-end
diff --git a/lib/banzai/pipeline/post_process_pipeline.rb b/lib/banzai/pipeline/post_process_pipeline.rb
index 4cf97e2d9d2..dcd52bc03c7 100644
--- a/lib/banzai/pipeline/post_process_pipeline.rb
+++ b/lib/banzai/pipeline/post_process_pipeline.rb
@@ -6,7 +6,6 @@ module Banzai
Filter::RedactorFilter,
Filter::RelativeLinkFilter,
Filter::IssuableStateFilter,
- Filter::CrossProjectIssuableInformationFilter,
Filter::AbsoluteLinkFilter
]
end
diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb
index de3ebe72720..827df7c08ae 100644
--- a/lib/banzai/redactor.rb
+++ b/lib/banzai/redactor.rb
@@ -19,8 +19,9 @@ module Banzai
#
# Returns the documents passed as the first argument.
def redact(documents)
- all_document_nodes = document_nodes(documents)
+ redact_cross_project_references(documents) unless can_read_cross_project?
+ all_document_nodes = document_nodes(documents)
redact_document_nodes(all_document_nodes)
end
@@ -51,6 +52,18 @@ module Banzai
metadata
end
+ def redact_cross_project_references(documents)
+ extractor = Banzai::IssuableExtractor.new(project, user)
+ issuables = extractor.extract(documents)
+
+ issuables.each do |node, issuable|
+ next if issuable.project == project
+
+ node['class'] = node['class'].gsub('has-tooltip', '')
+ node['title'] = nil
+ end
+ end
+
# Returns the nodes visible to the current user.
#
# nodes - The input nodes to check.
@@ -78,5 +91,11 @@ module Banzai
{ document: document, nodes: Querying.css(document, 'a.gfm[data-reference-type]') }
end
end
+
+ private
+
+ def can_read_cross_project?
+ Ability.allowed?(user, :read_cross_project)
+ end
end
end