Commit graph

13 commits

Author SHA1 Message Date
YarNayar
99404a5851 Search feature: redirects to commit page if query is commit sha and only commit found
See !8028 and #24833
2017-01-24 14:58:00 +03:00
Douwe Maan
f23b1cb453 Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security'
Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
 - Permissions check tested

- [x] 💣  app/finders/notes_finder.rb:17
- [x] ⚠️  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] 💣  app/controllers/concerns/creates_commit.rb:84
- [x] 🚥  app/controllers/projects/commits_controller.rb:24
- [x] 🚥  app/controllers/projects/compare_controller.rb:56
- [x] 🚦  app/controllers/projects/discussions_controller.rb:29
- [x]   app/controllers/projects/todos_controller.rb:27
- [x] 🚦  app/models/commit.rb:268
- [x]  lib/gitlab/search_results.rb:71

- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033
2016-12-08 21:42:07 -03:00
Douwe Maan
3bf34face4 Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'
Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠️ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
 - Permissions check tested

### Issue lookup with access check

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x]  app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x]  lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x]  lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x]  lib/gitlab/search_results.rb:53 [`visible_to_user`]

### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
2016-11-28 21:26:23 -03:00
Valery Sizov
03bed0fbd3 Clean up search result classes 2016-09-06 10:12:55 +03:00
Douglas Barbosa Alexandre
f2ba4e3d36 Restrict access to confidential issues on search results 2016-03-17 20:55:59 -03:00
Yorick Peterse
b77b3b16b6 Removed order from sub-query projects for search
There's no need to order queries used as sub-queries and doing so can
add potential overhead.
2016-03-11 15:25:23 -05:00
Yorick Peterse
013542965c Refactor Gitlab::SearchResults
Instead of plucking IDs this class now uses ActiveRecord::Relation
objects. Plucking IDs is problematic as searching for projects can lead
to a huge amount of IDs being loaded into memory only to be used as an
argument for another query (instead of just using a sub-query).
2016-03-11 15:25:22 -05:00
Valery Sizov
56527b63e8 Ability to search milestones 2015-08-24 13:59:01 +03:00
Nikita Verkhovin
241f5971ba Add search issues/MR by number 2015-05-18 13:09:13 +06:00
Dmitriy Zaporozhets
c5c906fe64
Fix tests
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-27 15:26:35 +03:00
Dmitriy Zaporozhets
8b00d01c67
Search by issue/mr title and description
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-27 12:47:30 +03:00
Dmitriy Zaporozhets
9e5bc43263
Pass scope and page to Gitlab::SearchResults#objects instead of initialize
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-27 00:04:14 +03:00
Dmitriy Zaporozhets
9a4ef7e7eb
Search results libraries added
Gitlab::SearchResults and Gitlab::ProjectSearchResults are libraries we
are going to use to get search results based on query, enitity type and
pagination.

It will allow us to get only issues from project #23 where title or
description includes 'foo'.

Ex:

search_results = Gitlab::ProjectSearchResults.new(project.id, 'foo', 'issues')

search_results.objects => # [<Issues #23>, <Issues #34>]
search_results.issues_count => 2
search_results.total_count => 12 (it includes results from comments and
merge requests too)

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-26 23:32:41 +03:00