Commits · e78182a5faff7ed1cea59dea901ff8602b8ad638 · Boxiang Sun / gitlab-ce

An error occurred fetching the project authors.

24 Nov, 2016 1 commit

Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security' · e78182a5

Douwe Maan authored 8 years ago

Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

 - Potentially untested
 - No test coverage
 - Test coverage of some sort exists (a test failed when error raised)
 - Test coverage of return value (a test failed when nil used)
 - Permissions check tested

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x]  app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x]  app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x]  app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x]  lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x]  lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x]  lib/gitlab/search_results.rb:53 [`visible_to_user`]

- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>

e78182a5

06 Sep, 2016 1 commit
- Clean up search result classes · 03bed0fb
  Valery Sizov authored 8 years ago
  
  03bed0fb
17 Mar, 2016 1 commit
- Restrict access to confidential issues on search results · f2ba4e3d
  Douglas Barbosa Alexandre authored 8 years ago
  
  f2ba4e3d
11 Mar, 2016 2 commits

Removed order from sub-query projects for search · b77b3b16
Yorick Peterse authored 9 years ago
```
There's no need to order queries used as sub-queries and doing so can
add potential overhead.
```
b77b3b16

Refactor Gitlab::SearchResults · 01354296

Yorick Peterse authored 9 years ago

Instead of plucking IDs this class now uses ActiveRecord::Relation
objects. Plucking IDs is problematic as searching for projects can lead
to a huge amount of IDs being loaded into memory only to be used as an
argument for another query (instead of just using a sub-query).

01354296

24 Aug, 2015 1 commit
- Ability to search milestones · 56527b63
  Valery Sizov authored 9 years ago
  
  56527b63
18 May, 2015 1 commit
- Add search issues/MR by number · 241f5971
  Nikita Verkhovin authored 9 years ago
  
  241f5971
27 Aug, 2014 2 commits
- Fix tests · c5c906fe
  Dmitriy Zaporozhets authored 10 years ago
```
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
```
  c5c906fe
- Search by issue/mr title and description · 8b00d01c
  Dmitriy Zaporozhets authored 10 years ago
```
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
```
  8b00d01c
26 Aug, 2014 2 commits

Pass scope and page to Gitlab::SearchResults#objects instead of initialize · 9e5bc432
Dmitriy Zaporozhets authored 10 years ago
```
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
```
9e5bc432

Search results libraries added · 9a4ef7e7

Dmitriy Zaporozhets authored 10 years ago

Gitlab::SearchResults and Gitlab::ProjectSearchResults are libraries we
are going to use to get search results based on query, enitity type and
pagination.

It will allow us to get only issues from project #23 where title or
description includes 'foo'.

Ex:

search_results = Gitlab::ProjectSearchResults.new(project.id, 'foo', 'issues')

search_results.objects => # [<Issues #23>, <Issues #34>]
search_results.issues_count => 2
search_results.total_count => 12 (it includes results from comments and
merge requests too)
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

9a4ef7e7