Merge branch 'reference-access-control' into 'master'

Only allow users to reference groups, projects, issues, MRs, commits they have access to.

Addresses https://dev.gitlab.org/gitlab/gitlabhq/issues/2183.

See merge request !1742

3 files changed, 66 insertions, 65 deletions

diff --git a/lib/gitlab/closing_issue_extractor.rb b/lib/gitlab/closing_issue_extractor.rb
index a9fd59f03d9..ab184d95c05 100644
--- a/lib/gitlab/closing_issue_extractor.rb
+++ b/lib/gitlab/closing_issue_extractor.rb
@@ -1,21 +1,20 @@
 module Gitlab
-  module ClosingIssueExtractor
+  class ClosingIssueExtractor
     ISSUE_CLOSING_REGEX = Regexp.new(Gitlab.config.gitlab.issue_closing_pattern)
 
-    def self.closed_by_message_in_project(message, project)
-      issues = []
+    def initialize(project, current_user = nil)
+      @extractor = Gitlab::ReferenceExtractor.new(project, current_user)
+    end
 
-      unless message.nil?
-        md = message.scan(ISSUE_CLOSING_REGEX)
+    def closed_by_message(message)
+      return [] if message.nil?
+      
+      closing_statements = message.scan(ISSUE_CLOSING_REGEX).
+        map { |ref| ref[0] }.join(" ")
 
-        md.each do |ref|
-          extractor = Gitlab::ReferenceExtractor.new
-          extractor.analyze(ref[0], project)
-          issues += extractor.issues_for(project)
-        end
-      end
+      @extractor.analyze(closing_statements)
 
-      issues.uniq
+      @extractor.issues
     end
   end
 end
diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb
index f1e2ae74a3a..8073417a16a 100644
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -192,6 +192,7 @@ module Gitlab
         project_path = $LAST_MATCH_INFO[:project]
         if project_path
           actual_project = ::Project.find_with_namespace(project_path)
+          actual_project = nil unless can?(current_user, :read_project, actual_project)
           project_prefix = project_path
         end
 
@@ -251,6 +252,7 @@ module Gitlab
       elsif namespace = Namespace.find_by(path: identifier)
         url =
           if namespace.is_a?(Group)
+            return nil unless can?(current_user, :read_group, namespace)
             group_url(identifier, only_path: options[:reference_only_path])
           else
             user_url(identifier, only_path: options[:reference_only_path])
diff --git a/lib/gitlab/reference_extractor.rb b/lib/gitlab/reference_extractor.rb
index c0419585c4b..a502a8fe9cd 100644
--- a/lib/gitlab/reference_extractor.rb
+++ b/lib/gitlab/reference_extractor.rb
@@ -1,94 +1,94 @@
 module Gitlab
   # Extract possible GFM references from an arbitrary String for further processing.
   class ReferenceExtractor
-    attr_accessor :users, :labels, :issues, :merge_requests, :snippets, :commits, :commit_ranges
+    attr_accessor :project, :current_user, :references
 
     include ::Gitlab::Markdown
 
-    def initialize
-      @users, @labels, @issues, @merge_requests, @snippets, @commits, @commit_ranges =
-        [], [], [], [], [], [], []
+    def initialize(project, current_user = nil)
+      @project = project
+      @current_user = current_user
     end
 
-    def analyze(string, project)
-      text = string.dup
+    def can?(user, action, subject)
+      Ability.abilities.allowed?(user, action, subject)
+    end
+
+    def analyze(text)
+      text = text.dup
 
       # Remove preformatted/code blocks so that references are not included
       text.gsub!(%r{<pre>.*?</pre>|<code>.*?</code>}m) { |match| '' }
       text.gsub!(%r{^```.*?^```}m) { |match| '' }
 
-      parse_references(text, project)
+      @references = Hash.new { |hash, type| hash[type] = [] }
+      parse_references(text)
     end
 
     # Given a valid project, resolve the extracted identifiers of the requested type to
     # model objects.
 
-    def users_for(project)
-      users.map do |entry|
-        project.users.where(username: entry[:id]).first
-      end.reject(&:nil?)
+    def users
+      references[:user].uniq.map do |project, identifier|
+        if identifier == "all"
+          project.team.members.flatten
+        elsif namespace = Namespace.find_by(path: identifier)
+          if namespace.is_a?(Group)
+            namespace.users
+          else
+            namespace.owner
+          end
+        end
+      end.flatten.compact.uniq
     end
 
-    def labels_for(project = nil)
-      labels.map do |entry|
-        project.labels.where(id: entry[:id]).first
-      end.reject(&:nil?)
+    def labels
+      references[:label].uniq.map do |project, identifier|
+        project.labels.where(id: identifier).first
+      end.compact.uniq
     end
 
-    def issues_for(project = nil)
-      issues.map do |entry|
-        if should_lookup?(project, entry[:project])
-          entry[:project].issues.where(iid: entry[:id]).first
+    def issues
+      references[:issue].uniq.map do |project, identifier|
+        if project.default_issues_tracker?
+          project.issues.where(iid: identifier).first
         end
-      end.reject(&:nil?)
+      end.compact.uniq
     end
 
-    def merge_requests_for(project = nil)
-      merge_requests.map do |entry|
-        if should_lookup?(project, entry[:project])
-          entry[:project].merge_requests.where(iid: entry[:id]).first
-        end
-      end.reject(&:nil?)
+    def merge_requests
+      references[:merge_request].uniq.map do |project, identifier|
+        project.merge_requests.where(iid: identifier).first
+      end.compact.uniq
     end
 
-    def snippets_for(project)
-      snippets.map do |entry|
-        project.snippets.where(id: entry[:id]).first
-      end.reject(&:nil?)
+    def snippets
+      references[:snippet].uniq.map do |project, identifier|
+        project.snippets.where(id: identifier).first
+      end.compact.uniq
     end
 
-    def commits_for(project = nil)
-      commits.map do |entry|
-        repo = entry[:project].repository if entry[:project]
-        if should_lookup?(project, entry[:project])
-          repo.commit(entry[:id]) if repo
-        end
-      end.reject(&:nil?)
+    def commits
+      references[:commit].uniq.map do |project, identifier|
+        repo = project.repository
+        repo.commit(identifier) if repo
+      end.compact.uniq
     end
 
-    def commit_ranges_for(project = nil)
-      commit_ranges.map do |entry|
-        repo = entry[:project].repository if entry[:project]
-        if repo && should_lookup?(project, entry[:project])
-          from_id, to_id = entry[:id].split(/\.{2,3}/, 2)
+    def commit_ranges
+      references[:commit_range].uniq.map do |project, identifier|
+        repo = project.repository
+        if repo
+          from_id, to_id = identifier.split(/\.{2,3}/, 2)
           [repo.commit(from_id), repo.commit(to_id)]
         end
-      end.reject(&:nil?)
+      end.compact.uniq
     end
 
     private
 
     def reference_link(type, identifier, project, _)
-      # Append identifier to the appropriate collection.
-      send("#{type}s") << { project: project, id: identifier }
-    end
-
-    def should_lookup?(project, entry_project)
-      if entry_project.nil?
-        false
-      else
-        project.nil? || entry_project.default_issues_tracker?
-      end
+      references[type] << [project, identifier]
     end
   end
 end