From 222fda90362a3be9e54323af32234d038b99908d Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Jun 2022 14:11:15 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

---
 app/finders/ci/runner_jobs_finder.rb | 12 +++++++++++-
 app/models/ci/project_mirror.rb      |  2 ++
 app/models/user.rb                   | 14 +++++++++++++-
 3 files changed, 26 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/finders/ci/runner_jobs_finder.rb b/app/finders/ci/runner_jobs_finder.rb
index 9dc3c2a2427..b659eda6646 100644
--- a/app/finders/ci/runner_jobs_finder.rb
+++ b/app/finders/ci/runner_jobs_finder.rb
@@ -6,19 +6,29 @@ module Ci
 
     ALLOWED_INDEXED_COLUMNS = %w[id].freeze
 
-    def initialize(runner, params = {})
+    def initialize(runner, current_user, params = {})
       @runner = runner
+      @user = current_user
       @params = params
     end
 
     def execute
       items = @runner.builds
+      items = by_permission(items)
       items = by_status(items)
       sort_items(items)
     end
 
     private
 
+    # rubocop: disable CodeReuse/ActiveRecord
+    def by_permission(items)
+      return items if @user.can_read_all_resources?
+
+      items.for_project(@user.authorized_project_mirrors(Gitlab::Access::REPORTER).select(:project_id))
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
     # rubocop: disable CodeReuse/ActiveRecord
     def by_status(items)
       return items unless Ci::HasStatus::AVAILABLE_STATUSES.include?(params[:status])
diff --git a/app/models/ci/project_mirror.rb b/app/models/ci/project_mirror.rb
index 9000d1791a6..15a161d5b7c 100644
--- a/app/models/ci/project_mirror.rb
+++ b/app/models/ci/project_mirror.rb
@@ -4,6 +4,8 @@ module Ci
   # This model represents a shadow table of the main database's projects table.
   # It allows us to navigate the project and namespace hierarchy on the ci database.
   class ProjectMirror < ApplicationRecord
+    include FromUnion
+
     belongs_to :project
 
     scope :by_namespace_id, -> (namespace_id) { where(namespace_id: namespace_id) }
diff --git a/app/models/user.rb b/app/models/user.rb
index c86fb56795c..40096dfa411 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1657,6 +1657,14 @@ class User < ApplicationRecord
     true
   end
 
+  def authorized_project_mirrors(level)
+    projects = Ci::ProjectMirror.by_project_id(ci_project_mirrors_for_project_members(level))
+
+    namespace_projects = Ci::ProjectMirror.by_namespace_id(ci_namespace_mirrors_for_group_members(level).select(:namespace_id))
+
+    Ci::ProjectMirror.from_union([projects, namespace_projects])
+  end
+
   def ci_owned_runners
     @ci_owned_runners ||= begin
       Ci::Runner
@@ -2113,6 +2121,10 @@ class User < ApplicationRecord
   end
   # rubocop: enable CodeReuse/ServiceClass
 
+  def ci_project_mirrors_for_project_members(level)
+    project_members.where('access_level >= ?', level).pluck(:source_id)
+  end
+
   def notification_email_verified
     return if notification_email.blank? || temp_oauth_email?
 
@@ -2250,7 +2262,7 @@ class User < ApplicationRecord
   end
 
   def ci_owned_project_runners_from_project_members
-    project_ids = project_members.where('access_level >= ?', Gitlab::Access::MAINTAINER).pluck(:source_id)
+    project_ids = ci_project_mirrors_for_project_members(Gitlab::Access::MAINTAINER)
 
     Ci::Runner
       .joins(:runner_projects)
-- 
cgit v1.2.1