Commit 26bff00d authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-id-fix-mr-visibility' into 'master'

Display the correct number of MRs a user has access to

Closes #2790

See merge request gitlab/gitlabhq!2880
parents 42d3117f 79c42110
...@@ -46,13 +46,6 @@ module Milestoneish ...@@ -46,13 +46,6 @@ module Milestoneish
end end
end end
def merge_requests_visible_to_user(user)
memoize_per_user(user, :merge_requests_visible_to_user) do
MergeRequestsFinder.new(user, {})
.execute.where(milestone_id: milestoneish_id)
end
end
def issue_participants_visible_by_user(user) def issue_participants_visible_by_user(user)
User.joins(:issue_assignees) User.joins(:issue_assignees)
.where('issue_assignees.issue_id' => issues_visible_to_user(user).select(:id)) .where('issue_assignees.issue_id' => issues_visible_to_user(user).select(:id))
...@@ -73,6 +66,13 @@ module Milestoneish ...@@ -73,6 +66,13 @@ module Milestoneish
merge_requests_visible_to_user(user).sort_by_attribute('label_priority') merge_requests_visible_to_user(user).sort_by_attribute('label_priority')
end end
def merge_requests_visible_to_user(user)
memoize_per_user(user, :merge_requests_visible_to_user) do
MergeRequestsFinder.new(user, issues_finder_params)
.execute.where(milestone_id: milestoneish_id)
end
end
def upcoming? def upcoming?
start_date && start_date.future? start_date && start_date.future?
end end
......
...@@ -76,7 +76,7 @@ class ProjectFeature < ActiveRecord::Base ...@@ -76,7 +76,7 @@ class ProjectFeature < ActiveRecord::Base
# This feature might not be behind a feature flag at all, so default to true # This feature might not be behind a feature flag at all, so default to true
return false unless ::Feature.enabled?(feature, user, default_enabled: true) return false unless ::Feature.enabled?(feature, user, default_enabled: true)
get_permission(user, access_level(feature)) get_permission(user, feature)
end end
def access_level(feature) def access_level(feature)
...@@ -134,12 +134,12 @@ class ProjectFeature < ActiveRecord::Base ...@@ -134,12 +134,12 @@ class ProjectFeature < ActiveRecord::Base
(FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")} (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")}
end end
def get_permission(user, level) def get_permission(user, feature)
case level case access_level(feature)
when DISABLED when DISABLED
false false
when PRIVATE when PRIVATE
user && (project.team.member?(user) || user.full_private_access?) team_access?(user, feature)
when ENABLED when ENABLED
true true
when PUBLIC when PUBLIC
...@@ -148,4 +148,11 @@ class ProjectFeature < ActiveRecord::Base ...@@ -148,4 +148,11 @@ class ProjectFeature < ActiveRecord::Base
true true
end end
end end
def team_access?(user, feature)
return unless user
return true if user.full_private_access?
project.team.member?(user, ProjectFeature.required_minimum_access_level(feature))
end
end end
...@@ -465,7 +465,7 @@ class ProjectPolicy < BasePolicy ...@@ -465,7 +465,7 @@ class ProjectPolicy < BasePolicy
when ProjectFeature::DISABLED when ProjectFeature::DISABLED
false false
when ProjectFeature::PRIVATE when ProjectFeature::PRIVATE
guest? || admin? admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
else else
true true
end end
......
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
= milestone_progress_bar(milestone) = milestone_progress_bar(milestone)
= link_to pluralize(milestone.total_issues_count(current_user), 'Issue'), issues_path = link_to pluralize(milestone.total_issues_count(current_user), 'Issue'), issues_path
&middot; &middot;
= link_to pluralize(milestone.merge_requests.size, 'Merge Request'), merge_requests_path = link_to pluralize(milestone.merge_requests_visible_to_user(current_user).size, 'Merge Request'), merge_requests_path
.float-lg-right.light #{milestone.percent_complete(current_user)}% complete .float-lg-right.light #{milestone.percent_complete(current_user)}% complete
.col-sm-2 .col-sm-2
.milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end .milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end
......
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
%li.nav-item %li.nav-item
= link_to '#tab-merge-requests', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do = link_to '#tab-merge-requests', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do
Merge Requests Merge Requests
%span.badge.badge-pill= milestone.merge_requests.size %span.badge.badge-pill= milestone.merge_requests_visible_to_user(current_user).size
- else - else
%li.nav-item %li.nav-item
= link_to '#tab-merge-requests', class: 'nav-link active', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do = link_to '#tab-merge-requests', class: 'nav-link active', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do
......
---
title: Display the correct number of MRs a user has access to
merge_request:
author:
type: security
...@@ -13,269 +13,313 @@ describe MergeRequestsFinder do ...@@ -13,269 +13,313 @@ describe MergeRequestsFinder do
end end
end end
let(:user) { create :user } context "multiple projects with merge requests" do
let(:user2) { create :user } let(:user) { create :user }
let(:user2) { create :user }
let(:group) { create(:group) }
let(:subgroup) { create(:group, parent: group) } let(:group) { create(:group) }
let(:project1) { create_project_without_n_plus_1(group: group) } let(:subgroup) { create(:group, parent: group) }
let(:project2) do let(:project1) { create_project_without_n_plus_1(group: group) }
Gitlab::GitalyClient.allow_n_plus_1_calls do let(:project2) do
fork_project(project1, user) Gitlab::GitalyClient.allow_n_plus_1_calls do
fork_project(project1, user)
end
end end
end let(:project3) do
let(:project3) do Gitlab::GitalyClient.allow_n_plus_1_calls do
Gitlab::GitalyClient.allow_n_plus_1_calls do p = fork_project(project1, user)
p = fork_project(project1, user) p.update!(archived: true)
p.update!(archived: true) p
p end
end end
end let(:project4) { create_project_without_n_plus_1(:repository, group: subgroup) }
let(:project4) { create_project_without_n_plus_1(:repository, group: subgroup) } let(:project5) { create_project_without_n_plus_1(group: subgroup) }
let(:project5) { create_project_without_n_plus_1(group: subgroup) } let(:project6) { create_project_without_n_plus_1(group: subgroup) }
let(:project6) { create_project_without_n_plus_1(group: subgroup) }
let!(:merge_request1) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project1) }
let!(:merge_request1) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project1) } let!(:merge_request2) { create(:merge_request, :conflict, author: user, source_project: project2, target_project: project1, state: 'closed') }
let!(:merge_request2) { create(:merge_request, :conflict, author: user, source_project: project2, target_project: project1, state: 'closed') } let!(:merge_request3) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project2, state: 'locked', title: 'thing WIP thing') }
let!(:merge_request3) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project2, state: 'locked', title: 'thing WIP thing') } let!(:merge_request4) { create(:merge_request, :simple, author: user, source_project: project3, target_project: project3, title: 'WIP thing') }
let!(:merge_request4) { create(:merge_request, :simple, author: user, source_project: project3, target_project: project3, title: 'WIP thing') } let!(:merge_request5) { create(:merge_request, :simple, author: user, source_project: project4, target_project: project4, title: '[WIP]') }
let!(:merge_request5) { create(:merge_request, :simple, author: user, source_project: project4, target_project: project4, title: '[WIP]') } let!(:merge_request6) { create(:merge_request, :simple, author: user, source_project: project5, target_project: project5, title: 'WIP: thing') }
let!(:merge_request6) { create(:merge_request, :simple, author: user, source_project: project5, target_project: project5, title: 'WIP: thing') } let!(:merge_request7) { create(:merge_request, :simple, author: user, source_project: project6, target_project: project6, title: 'wip thing') }
let!(:merge_request7) { create(:merge_request, :simple, author: user, source_project: project6, target_project: project6, title: 'wip thing') } let!(:merge_request8) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project1, title: '[wip] thing') }
let!(:merge_request8) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project1, title: '[wip] thing') } let!(:merge_request9) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project2, title: 'wip: thing') }
let!(:merge_request9) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project2, title: 'wip: thing') }
before do
before do project1.add_maintainer(user)
project1.add_maintainer(user) project2.add_developer(user)
project2.add_developer(user) project3.add_developer(user)
project3.add_developer(user) project2.add_developer(user2)
project2.add_developer(user2) project4.add_developer(user)
project4.add_developer(user) project5.add_developer(user)
project5.add_developer(user) project6.add_developer(user)
project6.add_developer(user)
end
describe "#execute" do
it 'filters by scope' do
params = { scope: 'authored', state: 'opened' }
merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(7)
end end
it 'filters by project' do describe '#execute' do
params = { project_id: project1.id, scope: 'authored', state: 'opened' } it 'filters by scope' do
merge_requests = described_class.new(user, params).execute params = { scope: 'authored', state: 'opened' }
expect(merge_requests.size).to eq(2) merge_requests = described_class.new(user, params).execute
end expect(merge_requests.size).to eq(7)
end
it 'filters by commit sha' do it 'filters by project' do
merge_requests = described_class.new( params = { project_id: project1.id, scope: 'authored', state: 'opened' }
user, merge_requests = described_class.new(user, params).execute
commit_sha: merge_request5.merge_request_diff.last_commit_sha expect(merge_requests.size).to eq(2)
).execute end
expect(merge_requests).to contain_exactly(merge_request5) it 'filters by commit sha' do
end merge_requests = described_class.new(
user,
commit_sha: merge_request5.merge_request_diff.last_commit_sha
).execute
expect(merge_requests).to contain_exactly(merge_request5)
end
context 'filtering by group' do
it 'includes all merge requests when user has access' do
params = { group_id: group.id }
merge_requests = described_class.new(user, params).execute
context 'filtering by group' do expect(merge_requests.size).to eq(3)
it 'includes all merge requests when user has access' do end
params = { group_id: group.id }
it 'excludes merge requests from projects the user does not have access to' do
private_project = create_project_without_n_plus_1(:private, group: group)
private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project)
params = { group_id: group.id }
private_project.add_guest(user)
merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(3)
expect(merge_requests).not_to include(private_mr)
end
it 'filters by group including subgroups', :nested_groups do
params = { group_id: group.id, include_subgroups: true }
merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(6)
end
end
it 'filters by non_archived' do
params = { non_archived: true }
merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(8)
end
it 'filters by iid' do
params = { project_id: project1.id, iids: merge_request1.iid }
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(3) expect(merge_requests).to contain_exactly(merge_request1)
end end
it 'excludes merge requests from projects the user does not have access to' do it 'filters by source branch' do
private_project = create_project_without_n_plus_1(:private, group: group) params = { source_branch: merge_request2.source_branch }
private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project)
params = { group_id: group.id }
private_project.add_guest(user)
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(3) expect(merge_requests).to contain_exactly(merge_request2)
expect(merge_requests).not_to include(private_mr)
end end
it 'filters by group including subgroups', :nested_groups do it 'filters by target branch' do
params = { group_id: group.id, include_subgroups: true } params = { target_branch: merge_request2.target_branch }
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(6) expect(merge_requests).to contain_exactly(merge_request2)
end end
end
it 'filters by non_archived' do it 'filters by state' do
params = { non_archived: true } params = { state: 'locked' }
merge_requests = described_class.new(user, params).execute
expect(merge_requests.size).to eq(8)
end
it 'filters by iid' do merge_requests = described_class.new(user, params).execute
params = { project_id: project1.id, iids: merge_request1.iid }
merge_requests = described_class.new(user, params).execute expect(merge_requests).to contain_exactly(merge_request3)
end
expect(merge_requests).to contain_exactly(merge_request1) it 'filters by wip' do
end params = { wip: 'yes' }
it 'filters by source branch' do merge_requests = described_class.new(user, params).execute
params = { source_branch: merge_request2.source_branch }
merge_requests = described_class.new(user, params).execute expect(merge_requests).to contain_exactly(merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9)
end
expect(merge_requests).to contain_exactly(merge_request2) it 'filters by not wip' do
end params = { wip: 'no' }
it 'filters by target branch' do merge_requests = described_class.new(user, params).execute
params = { target_branch: merge_request2.target_branch }
merge_requests = described_class.new(user, params).execute expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3)
end
expect(merge_requests).to contain_exactly(merge_request2) it 'returns all items if no valid wip param exists' do
end params = { wip: '' }
it 'filters by state' do merge_requests = described_class.new(user, params).execute
params = { state: 'locked' }
merge_requests = described_class.new(user, params).execute expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3, merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9)
end
expect(merge_requests).to contain_exactly(merge_request3) it 'adds wip to scalar params' do
end scalar_params = described_class.scalar_params
it 'filters by wip' do expect(scalar_params).to include(:wip, :assignee_id)
params = { wip: 'yes' } end
merge_requests = described_class.new(user, params).execute context 'filtering by group milestone' do
let!(:group) { create(:group, :public) }
let(:group_milestone) { create(:milestone, group: group) }
let!(:group_member) { create(:group_member, group: group, user: user) }
let(:params) { { milestone_title: group_milestone.title } }
expect(merge_requests).to contain_exactly(merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) before do
end project2.update(namespace: group)
merge_request2.update(milestone: group_milestone)
merge_request3.update(milestone: group_milestone)
end
it 'filters by not wip' do it 'returns issues assigned to that group milestone' do
params = { wip: 'no' } merge_requests = described_class.new(user, params).execute
merge_requests = described_class.new(user, params).execute expect(merge_requests).to contain_exactly(merge_request2, merge_request3)
end
end
expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3) context 'filtering by created_at/updated_at' do
end let(:new_project) { create(:project, forked_from_project: project1) }
it 'returns all items if no valid wip param exists' do let!(:new_merge_request) do
params = { wip: '' } create(:merge_request,
:simple,
author: user,
created_at: 1.week.from_now,
updated_at: 1.week.from_now,
source_project: new_project,
target_project: new_project)
end
merge_requests = described_class.new(user, params).execute let!(:old_merge_request) do
create(:merge_request,
:simple,
author: user,
source_branch: 'feature_1',
created_at: 1.week.ago,
updated_at: 1.week.ago,
source_project: new_project,
target_project: new_project)
end
expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3, merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) before do
end new_project.add_maintainer(user)
end
it 'adds wip to scalar params' do it 'filters by created_after' do
scalar_params = described_class.scalar_params params = { project_id: new_project.id, created_after: new_merge_request.created_at }
expect(scalar_params).to include(:wip, :assignee_id) merge_requests = described_class.new(user, params).execute
end
context 'filtering by group milestone' do expect(merge_requests).to contain_exactly(new_merge_request)
let!(:group) { create(:group, :public) } end
let(:group_milestone) { create(:milestone, group: group) }
let!(:group_member) { create(:group_member, group: group, user: user) }
let(:params) { { milestone_title: group_milestone.title } }
before do it 'filters by created_before' do
project2.update(namespace: group) params = { project_id: new_project.id, created_before: old_merge_request.created_at }
merge_request2.update(milestone: group_milestone)
merge_request3.update(milestone: group_milestone)
end
it 'returns issues assigned to that group milestone' do merge_requests = described_class.new(user, params).execute
merge_requests = described_class.new(user, params).execute
expect(merge_requests).to contain_exactly(merge_request2, merge_request3) expect(merge_requests).to contain_exactly(old_merge_request)
end end
end
context 'filtering by created_at/updated_at' do it 'filters by created_after and created_before' do
let(:new_project) { create(:project, forked_from_project: project1) } params = {
project_id: new_project.id,
let!(:new_merge_request) do created_after: old_merge_request.created_at,
create(:merge_request, created_before: new_merge_request.created_at
:simple, }
author: user,
created_at: 1.week.from_now,
updated_at: 1.week.from_now,
source_project: new_project,
target_project: new_project)
end
let!(:old_merge_request) do merge_requests = described_class.new(user, params).execute
create(:merge_request,
:simple,
author: user,
source_branch: 'feature_1',
created_at: 1.week.ago,
updated_at: 1.week.ago,
source_project: new_project,
target_project: new_project)
end
before do expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request)
new_project.add_maintainer(user) end
end
it 'filters by created_after' do it 'filters by updated_after' do
params = { project_id: new_project.id, created_after: new_merge_request.created_at } params = { project_id: new_project.id, updated_after: new_merge_request.updated_at }
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests).to contain_exactly(new_merge_request) expect(merge_requests).to contain_exactly(new_merge_request)
end end
it 'filters by created_before' do it 'filters by updated_before' do
params = { project_id: new_project.id, created_before: old_merge_request.created_at } params = { project_id: new_project.id, updated_before: old_merge_request.updated_at }
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests).to contain_exactly(old_merge_request) expect(merge_requests).to contain_exactly(old_merge_request)
end end
it 'filters by created_after and created_before' do it 'filters by updated_after and updated_before' do
params = { params = {
project_id: new_project.id, project_id: new_project.id,
created_after: old_merge_request.created_at, updated_after: old_merge_request.updated_at,
created_before: new_merge_request.created_at updated_before: new_merge_request.updated_at
} }
merge_requests = described_class.new(user, params).execute merge_requests = described_class.new(user, params).execute
expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request)
end
end end
end
it 'filters by updated_after' do describe '#row_count', :request_store do
params = { project_id: new_project.id, updated_after: new_merge_request.updated_at } it 'returns the number of rows for the default state' do
finder = described_class.new(user)
merge_requests = described_class.new(user, params).execute expect(finder.row_count).to eq(7)
end
it 'returns the number of rows for a given state' do
finder = described_class.new(user, state: 'closed')
expect(merge_requests).to contain_exactly(new_merge_request) expect(finder.row_count).to eq(1)
end end
end
end
it 'filters by updated_before' do context 'when projects require different access levels for merge requests' do
params = { project_id: new_project.id, updated_before: old_merge_request.updated_at } let(:user) { create(:user) }
merge_requests = described_class.new(user, params).execute let(:public_project) { create(:project, :public) }
let(:internal) { create(:project, :internal) }
let(:private_project) { create(:project, :private) }
let(:public_with_private_repo) { create(:project, :public, :repository, :repository_private) }
let(:internal_with_private_repo) { create(:project, :internal, :repository, :repository_private) }
expect(merge_requests).to contain_exactly(old_merge_request) let(:merge_requests) { described_class.new(user, {}).execute }
end
it 'filters by updated_after and updated_before' do let!(:mr_public) { create(:merge_request, source_project: public_project) }
params = { let!(:mr_private) { create(:merge_request, source_project: private_project) }
project_id: new_project.id, let!(:mr_internal) { create(:merge_request, source_project: internal) }
updated_after: old_merge_request.updated_at, let!(:mr_private_repo_access) { create(:merge_request, source_project: public_with_private_repo) }
updated_before: new_merge_request.updated_at let!(:mr_internal_private_repo_access) { create(:merge_request, source_project: internal_with_private_repo) }
}
merge_requests = described_class.new(user, params).execute context 'with admin user' do
let(:user) { create(:user, :admin) }
expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) it 'returns all merge requests' do
expect(merge_requests).to eq(
[mr_internal_private_repo_access, mr_private_repo_access, mr_internal, mr_private, mr_public]
)
end end
end end
...@@ -293,19 +337,85 @@ describe MergeRequestsFinder do ...@@ -293,19 +337,85 @@ describe MergeRequestsFinder do
expect(merge_requests).to be_empty expect(merge_requests).to be_empty
end end
end end
end
describe '#row_count', :request_store do context 'with external user' do
it 'returns the number of rows for the default state' do let(:user) { create(:user, :external) }
finder = described_class.new(user)
expect(finder.row_count).to eq(7) it 'returns only public merge requests' do
expect(merge_requests).to eq([mr_public])
end
end end
it 'returns the number of rows for a given state' do context 'with authenticated user' do
finder = described_class.new(user, state: 'closed') it 'returns public and internal merge requests' do
expect(merge_requests).to eq([mr_internal, mr_public])
end
context 'being added to the private project' do
context 'as a guest' do
before do
private_project.add_guest(user)
end
it 'does not return merge requests from the private project' do
expect(merge_requests).to eq([mr_internal, mr_public])
end
end
context 'as a developer' do
before do
private_project.add_developer(user)
end
it 'returns merge requests from the private project' do
expect(merge_requests).to eq([mr_internal, mr_private, mr_public])
end
end
end
expect(finder.row_count).to eq(1) context 'being added to the public project with private repo access' do
context 'as a guest' do
before do
public_with_private_repo.add_guest(user)
end
it 'returns merge requests from the project' do
expect(merge_requests).to eq([mr_internal, mr_public])
end
end
context 'as a reporter' do
before do
public_with_private_repo.add_reporter(user)
end
it 'returns merge requests from the project' do
expect(merge_requests).to eq([mr_private_repo_access, mr_internal, mr_public])
end
end
end
context 'being added to the internal project with private repo access' do
context 'as a guest' do
before do
internal_with_private_repo.add_guest(user)
end
it 'returns merge requests from the project' do
expect(merge_requests).to eq([mr_internal, mr_public])
end
end
context 'as a reporter' do
before do
internal_with_private_repo.add_reporter(user)
end
it 'returns merge requests from the project' do
expect(merge_requests).to eq([mr_internal_private_repo_access, mr_internal, mr_public])
end
end
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment