Commit graph

26 commits

Author SHA1 Message Date
Douwe Maan
12db4cc0e7 Merge branch 'jej-note-search-uses-finder' into 'security'
Fix missing Note access checks in by moving Note#search to updated NoteFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠️ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
 - Permissions check tested

### Note lookup without access check

- [x]  app/finders/notes_finder.rb:13 :download_code check
- [x]  app/finders/notes_finder.rb:19 `SnippetsFinder`
- [x]  app/models/note.rb:121 [`Issue#visible_to_user`]
- [x]  lib/gitlab/project_search_results.rb:113
  - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`.
  - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked.

### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used
  - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223

###  Acceptance criteria met?
- [x] Tests added for new code
- [x] TODO comments removed
- [x] Squashed and removed skipped tests
- [x] Changelog entry
- [ ] State Gitlab versions affected and issue severity in description
- [ ] Create technical debt issue for NotesFinder.
  - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two.
  - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)`
  - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes`

See merge request !2035
2016-12-15 11:40:12 -03:00
Valery Sizov
a5632e802b Search for a filename in a project 2016-11-16 14:25:54 +02:00
Valery Sizov
869696bca3 Faster search 2016-11-08 14:21:19 +02:00
Valery Sizov
fd2c3a3da0 Refactoring find_commits functionality 2016-10-20 12:45:34 +03:00
Valery Sizov
03bed0fbd3 Clean up search result classes 2016-09-06 10:12:55 +03:00
Valery Sizov
9154586ce5 Confidential notes data leak 2016-05-31 21:32:53 +03:00
Douglas Barbosa Alexandre
f2ba4e3d36 Restrict access to confidential issues on search results 2016-03-17 20:55:59 -03:00
Yorick Peterse
8c2868e8ea Added ProjectSearchResults#project_ids_relation
This ensures some other methods such as the "issues" method still work.
2016-03-11 15:25:23 -05:00
Yorick Peterse
ec349dc1b6 Refactor Gitlab::ProjectSearchResults
Previously this class would be given a project ID which was then used to
retrieve the corresponding Project object. However, in all cases the
Project object was already known as it was used to grab the ID to pass
to ProjectSearchResults. By just passing a Project instead we remove the
need for an extra query as well as the need for some other complexity
in this class.
2016-03-11 15:25:22 -05:00
Dmitriy Zaporozhets
28f6fba97c
Fix commits search for empty repository
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2015-11-03 10:16:09 +01:00
Dmitriy Zaporozhets
810c91fe35
Refactor search by commits message
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2015-11-02 16:39:24 +01:00
Michael Chmielewski
b1f4aaa5e7 Trying to incorporate suggestions from comments on Merge Request 1661 2015-10-28 22:34:39 -04:00
Jonathan Schoeffling
5a5069969c Add support for searching commit log messages
Include the log messages of recent commits in project-level search
results, providing functionality similar to 'git log --grep'.

Update repository model rspec tests to validate the output of
Repository#commits_with_log_matching.
2015-10-28 22:34:39 -04:00
Dirceu Pereira Tiegs
d7bcfe4fc0 Fix issue #3055 (project search with unmatched parentheses) 2015-10-21 10:20:40 -02:00
Jeroen van Baarsen
25a870a6d4 Revert "No need to check if repository_ref is present" 2015-06-09 15:18:15 +02:00
zenati
c418261b2b No need to check if repository_ref is present
There is no need to check if `repository_ref` is present as:
```
      @repository_ref = if repository_ref.present?
                          repository_ref
                        else
                          nil
                        end
```

is as same as doing:

```
@repository_ref = repository_ref
```
2015-06-08 18:01:50 +02:00
Douwe Maan
6b92236eeb Don't include system notes in issue/MR comment count. 2015-03-23 16:43:08 +01:00
Dmitriy Zaporozhets
424b42d6e9
Fix 500 error on empty search in project
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-09-25 15:01:02 +03:00
Dmitriy Zaporozhets
4b65b0e0f5
Fix wiki
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-09-25 13:56:23 +03:00
Dmitriy Zaporozhets
6b7e80cb19
Prevent 500 error when search wiki for non-existing repo
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-09-09 17:56:33 +03:00
Ralf Seidler
9edf6d4dd0 Fixed trailing white space 2014-09-06 20:42:11 +02:00
Ralf Seidler
23241c181c Fixed houndci complaining over too long lines 2014-09-06 11:46:14 +02:00
Ralf Seidler
d93b046c4c Added search wiki feature 2014-09-05 13:36:43 +02:00
Dmitriy Zaporozhets
c5c906fe64
Fix tests
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-27 15:26:35 +03:00
Dmitriy Zaporozhets
9e5bc43263
Pass scope and page to Gitlab::SearchResults#objects instead of initialize
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-27 00:04:14 +03:00
Dmitriy Zaporozhets
9a4ef7e7eb
Search results libraries added
Gitlab::SearchResults and Gitlab::ProjectSearchResults are libraries we
are going to use to get search results based on query, enitity type and
pagination.

It will allow us to get only issues from project #23 where title or
description includes 'foo'.

Ex:

search_results = Gitlab::ProjectSearchResults.new(project.id, 'foo', 'issues')

search_results.objects => # [<Issues #23>, <Issues #34>]
search_results.issues_count => 2
search_results.total_count => 12 (it includes results from comments and
merge requests too)

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-26 23:32:41 +03:00