gitlab-org--gitlab-foss/app/finders/labels_finder.rb

class LabelsFinder < UnionFinder
  prepend FinderWithCrossProjectAccess
  include FinderMethods
  include Gitlab::Utils::StrongMemoize

  requires_cross_project_access unless: -> { project? }

  def initialize(current_user, params = {})
    @current_user = current_user
    @params = params
  end

  def execute(skip_authorization: false)
    @skip_authorization = skip_authorization
    items = find_union(label_ids, Label) || Label.none
    items = with_title(items)
    items = by_search(items)
    sort(items)
  end

  private

  attr_reader :current_user, :params, :skip_authorization

  def label_ids
    label_ids = []

    if project?
      if project
        if project.group.present?
          labels_table = Label.arel_table
          group_ids = group_ids_for(project.group)

          label_ids << Label.where(
            labels_table[:type].eq('GroupLabel').and(labels_table[:group_id].in(group_ids)).or(
              labels_table[:type].eq('ProjectLabel').and(labels_table[:project_id].eq(project.id))
            )
          )
        else
          label_ids << project.labels
        end
      end
    else
      if group?
        group = Group.find(params[:group_id])
        label_ids << Label.where(group_id: group_ids_for(group))
      end

      label_ids << Label.where(group_id: projects.group_ids)
      label_ids << Label.where(project_id: projects.select(:id)) unless only_group_labels?
    end

    label_ids
  end

  def sort(items)
    items.reorder(title: :asc)
  end

  def with_title(items)
    return items if title.nil?
    return items.none if title.blank?

    items.where(title: title)
  end

  def by_search(labels)
    return labels unless search?

    labels.search(params[:search])
  end

  # Gets redacted array of group ids
  # which can include the ancestors and descendants of the requested group.
  def group_ids_for(group)
    strong_memoize(:group_ids) do
      groups = groups_to_include(group)

      groups_user_can_read_labels(groups).map(&:id)
    end
  end

  def groups_to_include(group)
    groups = [group]

    groups += group.ancestors if include_ancestor_groups?
    groups += group.descendants if include_descendant_groups?

    groups
  end

  def include_ancestor_groups?
    params[:include_ancestor_groups]
  end

  def include_descendant_groups?
    params[:include_descendant_groups]
  end

  def group?
    params[:group_id].present?
  end

  def project?
    params[:project_id].present?
  end

  def projects?
    params[:project_ids]
  end

  def only_group_labels?
    params[:only_group_labels]
  end

  def search?
    params[:search].present?
  end

  def title
    params[:title] || params[:name]
  end

  def project
    return @project if defined?(@project)

    if project?
      @project = Project.find(params[:project_id])
      @project = nil unless authorized_to_read_labels?(@project)
    else
      @project = nil
    end

    @project
  end

  def projects
    return @projects if defined?(@projects)

    @projects = if skip_authorization
                  Project.all
                else
                  ProjectsFinder.new(params: { non_archived: true }, current_user: current_user).execute
                end

    @projects = @projects.in_namespace(params[:group_id]) if group?
    @projects = @projects.where(id: params[:project_ids]) if projects?
    @projects = @projects.reorder(nil)

    @projects
  end

  def authorized_to_read_labels?(label_parent)
    return true if skip_authorization

    Ability.allowed?(current_user, :read_label, label_parent)
  end

  def groups_user_can_read_labels(groups)
    DeclarativePolicy.user_scope do
      groups.select { |group| authorized_to_read_labels?(group) }
    end
  end
end
LabelsFinder inherits from UnionFinder 2016-09-20 04:08:04 +00:00			`class LabelsFinder < UnionFinder`
Port `read_cross_project` ability from EE 2017-12-11 14:21:06 +00:00			`prepend FinderWithCrossProjectAccess`
			`include FinderMethods`
EE-BACKPORT group boards 2017-12-06 19:07:47 +00:00			`include Gitlab::Utils::StrongMemoize`

Port `read_cross_project` ability from EE 2017-12-11 14:21:06 +00:00			`requires_cross_project_access unless: -> { project? }`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def initialize(current_user, params = {})`
			`@current_user = current_user`
			`@params = params`
			`end`

Pass user instance to Labels::FindOrCreateService or skip_authorization: true Do not pass project.owner because it may return a group and Labels::FindOrCreateService throws an error in this case. Fixes #23694. 2016-10-28 09:31:45 +00:00			`def execute(skip_authorization: false)`
			`@skip_authorization = skip_authorization`
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`items = find_union(label_ids, Label) \|\| Label.none`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`items = with_title(items)`
Add ability to filter labels by title or description Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-07-20 14:19:58 +00:00			`items = by_search(items)`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`sort(items)`
			`end`

			`private`

Pass user instance to Labels::FindOrCreateService or skip_authorization: true Do not pass project.owner because it may return a group and Labels::FindOrCreateService throws an error in this case. Fixes #23694. 2016-10-28 09:31:45 +00:00			`attr_reader :current_user, :params, :skip_authorization`
Add LabelsFinder 2016-09-19 20:16:16 +00:00
LabelsFinder inherits from UnionFinder 2016-09-20 04:08:04 +00:00			`def label_ids`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`label_ids = []`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`if project?`
			`if project`
Optimize labels finder query Optimize labels finder query when searching for a project with a group 2017-03-26 21:43:35 +00:00			`if project.group.present?`
			`labels_table = Label.arel_table`
Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`group_ids = group_ids_for(project.group)`
Optimize labels finder query Optimize labels finder query when searching for a project with a group 2017-03-26 21:43:35 +00:00
			`label_ids << Label.where(`
Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`labels_table[:type].eq('GroupLabel').and(labels_table[:group_id].in(group_ids)).or(`
Optimize labels finder query Optimize labels finder query when searching for a project with a group 2017-03-26 21:43:35 +00:00			`labels_table[:type].eq('ProjectLabel').and(labels_table[:project_id].eq(project.id))`
			`)`
			`)`
			`else`
			`label_ids << project.labels`
			`end`
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`end`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`else`
Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`if group?`
			`group = Group.find(params[:group_id])`
			`label_ids << Label.where(group_id: group_ids_for(group))`
			`end`

Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`label_ids << Label.where(group_id: projects.group_ids)`
Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`label_ids << Label.where(project_id: projects.select(:id)) unless only_group_labels?`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`end`

			`label_ids`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`def sort(items)`
Remove order by label type on LabelsFinder 2016-10-19 13:59:31 +00:00			`items.reorder(title: :asc)`
List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def with_title(items)`
Improve readability and add specs for label filtering 2016-10-25 06:04:38 +00:00			`return items if title.nil?`
			`return items.none if title.blank?`

			`items.where(title: title)`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Add ability to filter labels by title or description Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-07-20 14:19:58 +00:00			`def by_search(labels)`
Move search param check into own method in app/finders/labels_finder.rb Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-07-28 08:32:50 +00:00			`return labels unless search?`
Add ability to filter labels by title or description Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-07-20 14:19:58 +00:00
			`labels.search(params[:search])`
			`end`

Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`# Gets redacted array of group ids`
			`# which can include the ancestors and descendants of the requested group.`
			`def group_ids_for(group)`
Allow to find labels in ancestor groups and better group support in label service 2018-02-26 16:23:19 +00:00			`strong_memoize(:group_ids) do`
Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`groups = groups_to_include(group)`

			`groups_user_can_read_labels(groups).map(&:id)`
EE-BACKPORT group boards 2017-12-06 19:07:47 +00:00			`end`
			`end`

Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`def groups_to_include(group)`
Allow to include also descendant group labels Because epic index page includes also epics from subgroups it's necessary to also get descendant group labels for filtering. https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4773#note_61236542 2018-03-02 08:25:25 +00:00			`groups = [group]`

Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`groups += group.ancestors if include_ancestor_groups?`
			`groups += group.descendants if include_descendant_groups?`
Allow to include also descendant group labels Because epic index page includes also epics from subgroups it's necessary to also get descendant group labels for filtering. https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4773#note_61236542 2018-03-02 08:25:25 +00:00
			`groups`
			`end`

Allow assigning and filtering issuables by ancestor group labels 2018-04-04 15:40:29 +00:00			`def include_ancestor_groups?`
			`params[:include_ancestor_groups]`
			`end`

			`def include_descendant_groups?`
			`params[:include_descendant_groups]`
			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def group?`
			`params[:group_id].present?`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def project?`
			`params[:project_id].present?`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def projects?`
Remove unnecessary query from labels filter 2018-01-17 14:28:36 +00:00			`params[:project_ids]`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`end`

EE-BACKPORT group boards 2017-12-06 19:07:47 +00:00			`def only_group_labels?`
			`params[:only_group_labels]`
			`end`

Move search param check into own method in app/finders/labels_finder.rb Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-07-28 08:32:50 +00:00			`def search?`
			`params[:search].present?`
			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def title`
Improve readability and add specs for label filtering 2016-10-25 06:04:38 +00:00			`params[:title] \|\| params[:name]`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`def project`
			`return @project if defined?(@project)`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`if project?`
			`@project = Project.find(params[:project_id])`
			`@project = nil unless authorized_to_read_labels?(@project)`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`else`
			`@project = nil`
			`end`

			`@project`
			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def projects`
			`return @projects if defined?(@projects)`

Hide archived project labels from group issue tracker 2017-06-29 05:23:38 +00:00			`@projects = if skip_authorization`
			`Project.all`
			`else`
			`ProjectsFinder.new(params: { non_archived: true }, current_user: current_user).execute`
			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`@projects = @projects.in_namespace(params[:group_id]) if group?`
			`@projects = @projects.where(id: params[:project_ids]) if projects?`
List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`@projects = @projects.reorder(nil)`
Add LabelsFinder 2016-09-19 20:16:16 +00:00
			`@projects`
			`end`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00
EE-BACKPORT group boards 2017-12-06 19:07:47 +00:00			`def authorized_to_read_labels?(label_parent)`
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`return true if skip_authorization`

EE-BACKPORT group boards 2017-12-06 19:07:47 +00:00			`Ability.allowed?(current_user, :read_label, label_parent)`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`end`
Allow to find labels in ancestor groups and better group support in label service 2018-02-26 16:23:19 +00:00
			`def groups_user_can_read_labels(groups)`
			`DeclarativePolicy.user_scope do`
			`groups.select { \|group\| authorized_to_read_labels?(group) }`
			`end`
			`end`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`