Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2a531983
Commit
2a531983
authored
Nov 09, 2018
by
Heinrich Lee Yu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor whitelisting of filter params
parent
2ade9b44
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
32 additions
and
65 deletions
+32
-65
app/controllers/concerns/issuable_collections.rb
app/controllers/concerns/issuable_collections.rb
+18
-18
app/controllers/concerns/merge_requests_action.rb
app/controllers/concerns/merge_requests_action.rb
+1
-1
app/controllers/dashboard_controller.rb
app/controllers/dashboard_controller.rb
+4
-12
app/finders/issuable_finder.rb
app/finders/issuable_finder.rb
+3
-11
app/helpers/application_helper.rb
app/helpers/application_helper.rb
+1
-13
spec/controllers/concerns/issuable_collections_spec.rb
spec/controllers/concerns/issuable_collections_spec.rb
+5
-10
No files found.
app/controllers/concerns/issuable_collections.rb
View file @
2a531983
...
@@ -81,36 +81,36 @@ module IssuableCollections
...
@@ -81,36 +81,36 @@ module IssuableCollections
end
end
def
issuable_finder_for
(
finder_class
)
def
issuable_finder_for
(
finder_class
)
finder_class
.
new
(
current_user
,
fi
lter_param
s
)
finder_class
.
new
(
current_user
,
fi
nder_option
s
)
end
end
# rubocop:disable Gitlab/ModuleWithInstanceVariables
# rubocop:disable Gitlab/ModuleWithInstanceVariables
# rubocop: disable CodeReuse/ActiveRecord
def
finder_options
def
filter_params
params
[
:state
]
=
default_state
if
params
[
:state
].
blank?
set_sort_order_from_cookie
set_default_state
# Skip irrelevant Rails routing params
options
=
{
@filter_params
=
params
.
dup
.
except
(
:controller
,
:action
,
:namespace_id
)
scope:
params
[
:scope
],
@filter_params
[
:sort
]
||=
default_sort_order
state:
params
[
:state
],
sort:
set_sort_order_from_cookie
||
default_sort_order
}
@sort
=
@filter_params
[
:sort
]
# Used by view to highlight active option
@sort
=
options
[
:sort
]
if
@project
if
@project
@filter_param
s
[
:project_id
]
=
@project
.
id
option
s
[
:project_id
]
=
@project
.
id
elsif
@group
elsif
@group
@filter_param
s
[
:group_id
]
=
@group
.
id
option
s
[
:group_id
]
=
@group
.
id
@filter_param
s
[
:include_subgroups
]
=
true
option
s
[
:include_subgroups
]
=
true
@filter_param
s
[
:use_cte_for_search
]
=
true
option
s
[
:use_cte_for_search
]
=
true
end
end
@filter_params
.
permit
(
finder_type
.
valid_param
s
)
params
.
permit
(
finder_type
.
valid_params
).
merge
(
option
s
)
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop:enable Gitlab/ModuleWithInstanceVariables
# rubocop:enable Gitlab/ModuleWithInstanceVariables
def
set_
default_state
def
default_state
params
[
:state
]
=
'opened'
if
params
[
:state
].
blank?
'opened'
end
end
def
set_sort_order_from_cookie
def
set_sort_order_from_cookie
...
@@ -121,7 +121,7 @@ module IssuableCollections
...
@@ -121,7 +121,7 @@ module IssuableCollections
sort_value
=
update_cookie_value
(
sort_param
)
sort_value
=
update_cookie_value
(
sort_param
)
set_secure_cookie
(
remember_sorting_key
,
sort_value
)
set_secure_cookie
(
remember_sorting_key
,
sort_value
)
params
[
:sort
]
=
sort_value
sort_value
end
end
def
remember_sorting_key
def
remember_sorting_key
...
...
app/controllers/concerns/merge_requests_action.rb
View file @
2a531983
...
@@ -19,7 +19,7 @@ module MergeRequestsAction
...
@@ -19,7 +19,7 @@ module MergeRequestsAction
(
MergeRequestsFinder
if
action_name
==
'merge_requests'
)
(
MergeRequestsFinder
if
action_name
==
'merge_requests'
)
end
end
def
fi
lter_param
s
def
fi
nder_option
s
super
.
merge
(
non_archived:
true
)
super
.
merge
(
non_archived:
true
)
end
end
end
end
app/controllers/dashboard_controller.rb
View file @
2a531983
...
@@ -4,17 +4,6 @@ class DashboardController < Dashboard::ApplicationController
...
@@ -4,17 +4,6 @@ class DashboardController < Dashboard::ApplicationController
include
IssuesAction
include
IssuesAction
include
MergeRequestsAction
include
MergeRequestsAction
FILTER_PARAMS
=
[
# author_id and assignee_id are kept so old RSS links still work
:author_id
,
:assignee_id
,
:author_username
,
:assignee_username
,
:milestone_title
,
:label_name
,
:my_reaction_emoji
].
freeze
before_action
:event_filter
,
only: :activity
before_action
:event_filter
,
only: :activity
before_action
:projects
,
only:
[
:issues
,
:merge_requests
]
before_action
:projects
,
only:
[
:issues
,
:merge_requests
]
before_action
:set_show_full_reference
,
only:
[
:issues
,
:merge_requests
]
before_action
:set_show_full_reference
,
only:
[
:issues
,
:merge_requests
]
...
@@ -55,10 +44,13 @@ class DashboardController < Dashboard::ApplicationController
...
@@ -55,10 +44,13 @@ class DashboardController < Dashboard::ApplicationController
end
end
def
check_filters_presence!
def
check_filters_presence!
@no_filters_set
=
FILTER_PARAMS
.
none?
{
|
k
|
params
.
key?
(
k
)
}
@no_filters_set
=
finder_type
.
scalar_params
.
none?
{
|
k
|
params
.
key?
(
k
)
}
return
unless
@no_filters_set
return
unless
@no_filters_set
# Call to set selected `state` and `sort` options in view
finder_options
respond_to
do
|
format
|
respond_to
do
|
format
|
format
.
html
{
render
}
format
.
html
{
render
}
format
.
atom
{
head
:bad_request
}
format
.
atom
{
head
:bad_request
}
...
...
app/finders/issuable_finder.rb
View file @
2a531983
...
@@ -14,7 +14,9 @@
...
@@ -14,7 +14,9 @@
# project_id: integer
# project_id: integer
# milestone_title: string
# milestone_title: string
# author_id: integer
# author_id: integer
# author_username: string
# assignee_id: integer or 'None' or 'Any'
# assignee_id: integer or 'None' or 'Any'
# assignee_username: string
# search: string
# search: string
# label_name: string
# label_name: string
# sort: string
# sort: string
...
@@ -49,25 +51,15 @@ class IssuableFinder
...
@@ -49,25 +51,15 @@ class IssuableFinder
assignee_username
assignee_username
author_id
author_id
author_username
author_username
authorized_only
group_id
iids
label_name
label_name
milestone_title
milestone_title
my_reaction_emoji
my_reaction_emoji
non_archived
project_id
scope
search
search
sort
state
include_subgroups
use_cte_for_search
]
]
end
end
def
self
.
array_params
def
self
.
array_params
@array_params
||=
{
label_name:
[],
iids:
[],
assignee_username:
[]
}
@array_params
||=
{
label_name:
[],
assignee_username:
[]
}
end
end
def
self
.
valid_params
def
self
.
valid_params
...
...
app/helpers/application_helper.rb
View file @
2a531983
...
@@ -173,19 +173,7 @@ module ApplicationHelper
...
@@ -173,19 +173,7 @@ module ApplicationHelper
without
=
options
.
delete
(
:without
)
without
=
options
.
delete
(
:without
)
add_label
=
options
.
delete
(
:label
)
add_label
=
options
.
delete
(
:label
)
exist_opts
=
{
options
=
request
.
query_parameters
.
merge
(
options
)
state:
params
[
:state
],
scope:
params
[
:scope
],
milestone_title:
params
[
:milestone_title
],
assignee_username:
params
[
:assignee_username
],
author_username:
params
[
:author_username
],
search:
params
[
:search
],
label_name:
params
[
:label_name
],
my_reaction_emoji:
params
[
:my_reaction_emoji
],
wip:
params
[
:wip
]
}
options
=
exist_opts
.
merge
(
options
)
if
without
.
present?
if
without
.
present?
without
.
each
do
|
key
|
without
.
each
do
|
key
|
...
...
spec/controllers/concerns/issuable_collections_spec.rb
View file @
2a531983
...
@@ -60,7 +60,7 @@ describe IssuableCollections do
...
@@ -60,7 +60,7 @@ describe IssuableCollections do
end
end
end
end
describe
'#fi
lter_param
s'
do
describe
'#fi
nder_option
s'
do
let
(
:params
)
do
let
(
:params
)
do
{
{
assignee_id:
'1'
,
assignee_id:
'1'
,
...
@@ -84,25 +84,20 @@ describe IssuableCollections do
...
@@ -84,25 +84,20 @@ describe IssuableCollections do
}
}
end
end
it
'
filters
params'
do
it
'
only allows whitelisted
params'
do
allow
(
controller
).
to
receive
(
:cookies
).
and_return
({})
allow
(
controller
).
to
receive
(
:cookies
).
and_return
({})
fi
ltered_params
=
controller
.
send
(
:filter_param
s
)
fi
nder_options
=
controller
.
send
(
:finder_option
s
)
expect
(
fi
ltered_param
s
).
to
eq
({
expect
(
fi
nder_option
s
).
to
eq
({
'assignee_id'
=>
'1'
,
'assignee_id'
=>
'1'
,
'assignee_username'
=>
'user1'
,
'assignee_username'
=>
'user1'
,
'author_id'
=>
'2'
,
'author_id'
=>
'2'
,
'author_username'
=>
'user2'
,
'author_username'
=>
'user2'
,
'authorized_only'
=>
'true'
,
'due_date'
=>
'2017-01-01'
,
'group_id'
=>
'3'
,
'iids'
=>
'4'
,
'label_name'
=>
'foo'
,
'label_name'
=>
'foo'
,
'milestone_title'
=>
'bar'
,
'milestone_title'
=>
'bar'
,
'my_reaction_emoji'
=>
'thumbsup'
,
'my_reaction_emoji'
=>
'thumbsup'
,
'non_archived'
=>
'true'
,
'due_date'
=>
'2017-01-01'
,
'project_id'
=>
'5'
,
'scope'
=>
'all'
,
'scope'
=>
'all'
,
'search'
=>
'baz'
,
'search'
=>
'baz'
,
'sort'
=>
'priority'
,
'sort'
=>
'priority'
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment