gitlab-org--gitlab-foss/app/finders/concerns/finder_with_cross_project_access.rb

# frozen_string_literal: true

# Module to prepend into finders to specify wether or not the finder requires
# cross project access
#
# This module depends on the finder implementing the following methods:
#
# - `#execute` should return an `ActiveRecord::Relation` or the `model` needs to
#              be defined in the call to `requires_cross_project_access`.
# - `#current_user` the user that requires access (or nil)
module FinderWithCrossProjectAccess
  extend ActiveSupport::Concern
  extend ::Gitlab::Utils::Override

  prepended do
    extend Gitlab::CrossProjectAccess::ClassMethods

    cattr_accessor :finder_model

    def self.requires_cross_project_access(*args)
      super

      self.finder_model = extract_model_from_arguments(args)
    end

    private

    def self.extract_model_from_arguments(args)
      args.detect { |argument| argument.is_a?(Hash) && argument[:model] }
        &.fetch(:model)
    end
  end

  override :execute
  def execute(*args)
    check = Gitlab::CrossProjectAccess.find_check(self)
    original = -> { super }

    return original.call unless check
    return original.call if should_skip_cross_project_check || can_read_cross_project?

    if check.should_run?(self)
      finder_model&.none || original.call.model.none
    else
      original.call
    end
  end

  # We can skip the cross project check for finding indivitual records.
  # this would be handled by the `can?(:read_*, result)` call in `FinderMethods`
  # itself.
  override :find_by!
  def find_by!(*args)
    skip_cross_project_check { super }
  end

  override :find_by
  def find_by(*args)
    skip_cross_project_check { super }
  end

  override :find
  def find(*args)
    skip_cross_project_check { super }
  end

  attr_accessor :should_skip_cross_project_check

  def skip_cross_project_check
    self.should_skip_cross_project_check = true

    yield
  ensure
    # The find could raise an `ActiveRecord::RecordNotFound`, after which we
    # still want to re-enable the check.
    self.should_skip_cross_project_check = false
  end

  def can_read_cross_project?
    Ability.allowed?(current_user, :read_cross_project)
  end

  def can_read_project?(project)
    Ability.allowed?(current_user, :read_project, project)
  end
end
Enable frozen string in app/graphql + app/finders Partially addresses #47424. 2018-09-11 15:08:34 -04:00			`# frozen_string_literal: true`

Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`# Module to prepend into finders to specify wether or not the finder requires`
			`# cross project access`
			`#`
			`# This module depends on the finder implementing the following methods:`
			`#`
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00			# - `#execute` should return an `ActiveRecord::Relation` or the `model` needs to
			# be defined in the call to `requires_cross_project_access`.
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			# - `#current_user` the user that requires access (or nil)
			`module FinderWithCrossProjectAccess`
			`extend ActiveSupport::Concern`
			`extend ::Gitlab::Utils::Override`

			`prepended do`
			`extend Gitlab::CrossProjectAccess::ClassMethods`
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00
			`cattr_accessor :finder_model`

			`def self.requires_cross_project_access(*args)`
			`super`

			`self.finder_model = extract_model_from_arguments(args)`
			`end`

			`private`

			`def self.extract_model_from_arguments(args)`
			`args.detect { \|argument\| argument.is_a?(Hash) && argument[:model] }`
			`&.fetch(:model)`
			`end`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`end`

			`override :execute`
			`def execute(*args)`
			`check = Gitlab::CrossProjectAccess.find_check(self)`
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00			`original = -> { super }`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00			`return original.call unless check`
			`return original.call if should_skip_cross_project_check \|\| can_read_cross_project?`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00
			`if check.should_run?(self)`
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00			`finder_model&.none \|\| original.call.model.none`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`else`
Hide confidential events in ruby We're filtering the events using `Event#visible_to_user?`. At most we're loading 100 events at once. Pagination is also dealt with in the finder, but the resulting array is wrapped in a `Kaminari.paginate_array` so the API's pagination helpers keep working. We're passing the total count into that paginatable array, which would include confidential events. But we're not disclosing anything. 2018-12-07 12:09:00 -05:00			`original.call`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`end`
			`end`

			`# We can skip the cross project check for finding indivitual records.`
			# this would be handled by the `can?(:read_*, result)` call in `FinderMethods`
			`# itself.`
			`override :find_by!`
			`def find_by!(*args)`
			`skip_cross_project_check { super }`
			`end`

			`override :find_by`
			`def find_by(*args)`
			`skip_cross_project_check { super }`
			`end`

			`override :find`
			`def find(*args)`
			`skip_cross_project_check { super }`
			`end`

			`attr_accessor :should_skip_cross_project_check`

			`def skip_cross_project_check`
			`self.should_skip_cross_project_check = true`

			`yield`
			`ensure`
			# The find could raise an `ActiveRecord::RecordNotFound`, after which we
			`# still want to re-enable the check.`
			`self.should_skip_cross_project_check = false`
			`end`

			`def can_read_cross_project?`
			`Ability.allowed?(current_user, :read_cross_project)`
			`end`

			`def can_read_project?(project)`
			`Ability.allowed?(current_user, :read_project, project)`
			`end`
			`end`