gitlab-org--gitlab-foss/app/finders/snippets_finder.rb

# Snippets Finder
#
# Used to filter Snippets collections by a set of params
#
# Arguments.
#
# current_user - The current user, nil also can be used.
# params:
#   visibility (integer) - Individual snippet visibility: Public(20), internal(10) or private(0).
#   project (Project) - Project related.
#   author (User) - Author related.
#
# params are optional
class SnippetsFinder < UnionFinder
  include Gitlab::Allowable
  include FinderMethods

  attr_accessor :current_user, :project, :params

  def initialize(current_user, params = {})
    @current_user = current_user
    @params = params
    @project = params[:project]
  end

  def execute
    items = init_collection
    items = by_author(items)
    items = by_visibility(items)

    items.fresh
  end

  private

  def init_collection
    if project.present?
      authorized_snippets_from_project
    else
      authorized_snippets
    end
  end

  def authorized_snippets_from_project
    if can?(current_user, :read_project_snippet, project)
      if project.team.member?(current_user)
        project.snippets
      else
        project.snippets.public_to_user(current_user)
      end
    else
      Snippet.none
    end
  end

  def authorized_snippets
    Snippet.where(feature_available_projects.or(not_project_related))
      .public_or_visible_to_user(current_user)
  end

  def feature_available_projects
    # Don't return any project related snippets if the user cannot read cross project
    return table[:id].eq(nil) unless Ability.allowed?(current_user, :read_cross_project)

    projects = Project.public_or_visible_to_user(current_user, use_where_in: false) do |part|
      part.with_feature_available_for_user(:snippets, current_user)
    end.select(:id)

    arel_query = Arel::Nodes::SqlLiteral.new(projects.to_sql)
    table[:project_id].in(arel_query)
  end

  def not_project_related
    table[:project_id].eq(nil)
  end

  def table
    Snippet.arel_table
  end

  def by_visibility(items)
    visibility = params[:visibility] || visibility_from_scope

    return items unless visibility

    items.where(visibility_level: visibility)
  end

  def by_author(items)
    return items unless params[:author]

    items.where(author_id: params[:author].id)
  end

  def visibility_from_scope
    case params[:scope].to_s
    when 'are_private'
      Snippet::PRIVATE
    when 'are_internal'
      Snippet::INTERNAL
    when 'are_public'
      Snippet::PUBLIC
    else
      nil
    end
  end
end
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`# Snippets Finder`
			`#`
			`# Used to filter Snippets collections by a set of params`
			`#`
			`# Arguments.`
			`#`
			`# current_user - The current user, nil also can be used.`
			`# params:`
			`# visibility (integer) - Individual snippet visibility: Public(20), internal(10) or private(0).`
			`# project (Project) - Project related.`
			`# author (User) - Author related.`
			`#`
			`# params are optional`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`class SnippetsFinder < UnionFinder`
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`include Gitlab::Allowable`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`include FinderMethods`

			`attr_accessor :current_user, :project, :params`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00
			`def initialize(current_user, params = {})`
			`@current_user = current_user`
			`@params = params`
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`@project = params[:project]`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`end`

			`def execute`
			`items = init_collection`
			`items = by_author(items)`
			`items = by_visibility(items)`

			`items.fresh`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00			`end`

			`private`

Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`def init_collection`
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`if project.present?`
			`authorized_snippets_from_project`
			`else`
			`authorized_snippets`
			`end`
			`end`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`def authorized_snippets_from_project`
			`if can?(current_user, :read_project_snippet, project)`
			`if project.team.member?(current_user)`
			`project.snippets`
			`else`
			`project.snippets.public_to_user(current_user)`
			`end`
			`else`
			`Snippet.none`
			`end`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00			`end`

Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`def authorized_snippets`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`Snippet.where(feature_available_projects.or(not_project_related))`
			`.public_or_visible_to_user(current_user)`
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`end`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`def feature_available_projects`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`# Don't return any project related snippets if the user cannot read cross project`
			`return table[:id].eq(nil) unless Ability.allowed?(current_user, :read_cross_project)`

Rename use_conditions_only option to use_where_in. 2018-02-20 11:02:11 -05:00			`projects = Project.public_or_visible_to_user(current_user, use_where_in: false) do \|part\|`
Remove duplication in Project methods. 2018-02-16 10:05:32 -05:00			`part.with_feature_available_for_user(:snippets, current_user)`
			`end.select(:id)`

Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`arel_query = Arel::Nodes::SqlLiteral.new(projects.to_sql)`
			`table[:project_id].in(arel_query)`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00			`end`

Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility 2018-01-18 11:07:06 -05:00			`def not_project_related`
			`table[:project_id].eq(nil)`
			`end`

			`def table`
			`Snippet.arel_table`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`end`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`def by_visibility(items)`
			`visibility = params[:visibility] \|\| visibility_from_scope`

			`return items unless visibility`

			`items.where(visibility_level: visibility)`
			`end`

			`def by_author(items)`
			`return items unless params[:author]`

			`items.where(author_id: params[:author].id)`
			`end`

			`def visibility_from_scope`
			`case params[:scope].to_s`
refactor duplicate code into a by_scope method 2016-12-09 15:40:48 -05:00			`when 'are_private'`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`Snippet::PRIVATE`
refactor duplicate code into a by_scope method 2016-12-09 15:40:48 -05:00			`when 'are_internal'`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`Snippet::INTERNAL`
refactor duplicate code into a by_scope method 2016-12-09 15:40:48 -05:00			`when 'are_public'`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`Snippet::PUBLIC`
refactor duplicate code into a by_scope method 2016-12-09 15:40:48 -05:00			`else`
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094 2017-04-28 18:06:27 -04:00			`nil`
refactor duplicate code into a by_scope method 2016-12-09 15:40:48 -05:00			`end`
			`end`
Snippets: public/internal/private 2014-10-08 09:44:25 -04:00			`end`