Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
6dfe01a7
Commit
6dfe01a7
authored
Sep 15, 2019
by
Eugenia Grieff
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Backport for CE MR
https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/3409
parent
17a7203c
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
102 additions
and
8 deletions
+102
-8
app/finders/labels_finder.rb
app/finders/labels_finder.rb
+7
-1
app/models/project.rb
app/models/project.rb
+4
-4
changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml
...bels-visible-despite-no-access-to-issues-repositories.yml
+5
-0
lib/gitlab/search_results.rb
lib/gitlab/search_results.rb
+1
-1
spec/finders/labels_finder_spec.rb
spec/finders/labels_finder_spec.rb
+83
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+2
-2
No files found.
app/finders/labels_finder.rb
View file @
6dfe01a7
...
...
@@ -51,7 +51,7 @@ class LabelsFinder < UnionFinder
end
label_ids
<<
Label
.
where
(
group_id:
projects
.
group_ids
)
label_ids
<<
Label
.
where
(
project_id:
projects
.
select
(
:id
))
unless
only_group_labels?
label_ids
<<
Label
.
where
(
project_id:
ids_user_can_read_labels
(
projects
))
unless
only_group_labels?
end
label_ids
...
...
@@ -188,4 +188,10 @@ class LabelsFinder < UnionFinder
groups
.
select
{
|
group
|
authorized_to_read_labels?
(
group
)
}
end
end
# rubocop: disable CodeReuse/ActiveRecord
def
ids_user_can_read_labels
(
projects
)
Project
.
where
(
id:
projects
.
select
(
:id
)).
ids_with_issuables_available_for
(
current_user
)
end
# rubocop: enable CodeReuse/ActiveRecord
end
app/models/project.rb
View file @
6dfe01a7
...
...
@@ -613,11 +613,11 @@ class Project < ApplicationRecord
joins
(
:namespace
).
where
(
namespaces:
{
type:
'Group'
}).
select
(
:namespace_id
)
end
# Returns ids of projects with
mileston
es available for given user
# Returns ids of projects with
issuabl
es available for given user
#
# Used on queries to find milestones which user can see
# For example: Milestone.where(project_id: ids_with_
milestone
_available_for(user))
def
ids_with_
milestone
_available_for
(
user
)
# Used on queries to find milestones
or labels
which user can see
# For example: Milestone.where(project_id: ids_with_
issuables
_available_for(user))
def
ids_with_
issuables
_available_for
(
user
)
with_issues_enabled
=
with_issues_available_for_user
(
user
).
select
(
:id
)
with_merge_requests_enabled
=
with_merge_requests_available_for_user
(
user
).
select
(
:id
)
...
...
changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml
0 → 100644
View file @
6dfe01a7
---
title
:
Do not display project labels that are not visible for user accessing group labels
merge_request
:
author
:
type
:
security
lib/gitlab/search_results.rb
View file @
6dfe01a7
...
...
@@ -163,7 +163,7 @@ module Gitlab
return
Milestone
.
none
if
project_ids
.
nil?
authorized_project_ids_relation
=
Project
.
where
(
id:
project_ids
).
ids_with_
milestone
_available_for
(
current_user
)
Project
.
where
(
id:
project_ids
).
ids_with_
issuables
_available_for
(
current_user
)
milestones
.
where
(
project_id:
authorized_project_ids_relation
)
end
...
...
spec/finders/labels_finder_spec.rb
View file @
6dfe01a7
...
...
@@ -128,6 +128,89 @@ describe LabelsFinder do
expect
(
finder
.
execute
).
to
eq
[
private_subgroup_label_1
]
end
end
context
'when including labels from group projects with limited visibility'
do
let
(
:finder
)
{
described_class
.
new
(
user
,
group_id:
group_4
.
id
)
}
let
(
:group_4
)
{
create
(
:group
)
}
let
(
:limited_visibility_project
)
{
create
(
:project
,
:public
,
group:
group_4
)
}
let
(
:visible_project
)
{
create
(
:project
,
:public
,
group:
group_4
)
}
let!
(
:group_label_1
)
{
create
(
:group_label
,
group:
group_4
)
}
let!
(
:limited_visibility_label
)
{
create
(
:label
,
project:
limited_visibility_project
)
}
let!
(
:visible_label
)
{
create
(
:label
,
project:
visible_project
)
}
shared_examples
'with full visibility'
do
it
'returns all projects labels'
do
expect
(
finder
.
execute
).
to
eq
[
group_label_1
,
limited_visibility_label
,
visible_label
]
end
end
shared_examples
'with limited visibility'
do
it
'returns only authorized projects labels'
do
expect
(
finder
.
execute
).
to
eq
[
group_label_1
,
visible_label
]
end
end
context
'when merge requests and issues are not visible for non members'
do
before
do
limited_visibility_project
.
project_feature
.
update!
(
merge_requests_access_level:
ProjectFeature
::
PRIVATE
,
issues_access_level:
ProjectFeature
::
PRIVATE
)
end
context
'when user is not a group member'
do
it_behaves_like
'with limited visibility'
end
context
'when user is a group member'
do
before
do
group_4
.
add_developer
(
user
)
end
it_behaves_like
'with full visibility'
end
end
context
'when merge requests are not visible for non members'
do
before
do
limited_visibility_project
.
project_feature
.
update!
(
merge_requests_access_level:
ProjectFeature
::
PRIVATE
)
end
context
'when user is not a group member'
do
it_behaves_like
'with full visibility'
end
context
'when user is a group member'
do
before
do
group_4
.
add_developer
(
user
)
end
it_behaves_like
'with full visibility'
end
end
context
'when issues are not visible for non members'
do
before
do
limited_visibility_project
.
project_feature
.
update!
(
issues_access_level:
ProjectFeature
::
PRIVATE
)
end
context
'when user is not a group member'
do
it_behaves_like
'with full visibility'
end
context
'when user is a group member'
do
before
do
group_4
.
add_developer
(
user
)
end
it_behaves_like
'with full visibility'
end
end
end
end
context
'filtering by project_id'
do
...
...
spec/models/project_spec.rb
View file @
6dfe01a7
...
...
@@ -3416,7 +3416,7 @@ describe Project do
end
end
describe
'.ids_with_
milestone
_available_for'
do
describe
'.ids_with_
issuables
_available_for'
do
let!
(
:user
)
{
create
(
:user
)
}
it
'returns project ids with milestones available for user'
do
...
...
@@ -3426,7 +3426,7 @@ describe Project do
project_4
=
create
(
:project
,
:public
)
project_4
.
project_feature
.
update
(
issues_access_level:
ProjectFeature
::
PRIVATE
,
merge_requests_access_level:
ProjectFeature
::
PRIVATE
)
project_ids
=
described_class
.
ids_with_
milestone
_available_for
(
user
).
pluck
(
:id
)
project_ids
=
described_class
.
ids_with_
issuables
_available_for
(
user
).
pluck
(
:id
)
expect
(
project_ids
).
to
include
(
project_2
.
id
,
project_3
.
id
)
expect
(
project_ids
).
not_to
include
(
project_1
.
id
,
project_4
.
id
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment