Commit graph

24 commits

Author SHA1 Message Date
Douwe Maan
ad309f5d11 Merge branch 'snippets-finder-visibility' into 'security'
Refactor snippets finder & dont return internal snippets for external users

See merge request !2094
2017-05-10 16:48:18 +02:00
Jarka Kadlecova
8c3a03c1b9 Display comments for personal snippets 2017-05-02 13:07:53 +02:00
Douwe Maan
afa53810de
Fix specs 2017-04-05 17:44:14 +01:00
Douwe Maan
21e10888c3
Address review comments 2017-04-05 17:44:14 +01:00
Douwe Maan
08bbb9fce6
Add option to start a new discussion on an MR 2017-04-05 17:44:14 +01:00
Douwe Maan
5c7f9d69e3 Fix code for cops 2017-02-23 09:31:57 -06:00
Douwe Maan
8a4d68c53e Enable Style/ConditionalAssignment 2017-02-23 09:31:57 -06:00
Douwe Maan
12db4cc0e7 Merge branch 'jej-note-search-uses-finder' into 'security'
Fix missing Note access checks in by moving Note#search to updated NoteFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠️ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
 - Permissions check tested

### Note lookup without access check

- [x]  app/finders/notes_finder.rb:13 :download_code check
- [x]  app/finders/notes_finder.rb:19 `SnippetsFinder`
- [x]  app/models/note.rb:121 [`Issue#visible_to_user`]
- [x]  lib/gitlab/project_search_results.rb:113
  - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`.
  - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked.

### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used
  - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223

###  Acceptance criteria met?
- [x] Tests added for new code
- [x] TODO comments removed
- [x] Squashed and removed skipped tests
- [x] Changelog entry
- [ ] State Gitlab versions affected and issue severity in description
- [ ] Create technical debt issue for NotesFinder.
  - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two.
  - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)`
  - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes`

See merge request !2035
2016-12-15 11:40:12 -03:00
Douwe Maan
f23b1cb453 Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security'
Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
 - Permissions check tested

- [x] 💣  app/finders/notes_finder.rb:17
- [x] ⚠️  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] 💣  app/controllers/concerns/creates_commit.rb:84
- [x] 🚥  app/controllers/projects/commits_controller.rb:24
- [x] 🚥  app/controllers/projects/compare_controller.rb:56
- [x] 🚦  app/controllers/projects/discussions_controller.rb:29
- [x]   app/controllers/projects/todos_controller.rb:27
- [x] 🚦  app/models/commit.rb:268
- [x]  lib/gitlab/search_results.rb:71

- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033
2016-12-08 21:42:07 -03:00
Douwe Maan
3bf34face4 Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'
Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠️ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
 - Permissions check tested

### Issue lookup with access check

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x]  app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x]  lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x]  lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x]  lib/gitlab/search_results.rb:53 [`visible_to_user`]

### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
2016-11-28 21:26:23 -03:00
Douglas Barbosa Alexandre
2d29ca85e8 Fix notes on confidential issues through JSON to users without access 2016-06-14 17:51:17 -03:00
Fatih Acet
bb883387f9 Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce into awardables
# Conflicts:
#	app/controllers/projects/merge_requests_controller.rb
#	app/models/note.rb
#	db/schema.rb
#	spec/models/note_spec.rb
2016-05-18 13:05:53 -05:00
Douwe Maan
99d3e21f19 Extract LegacyDiffNote out of Note 2016-05-13 17:31:43 -05:00
Arinde Eniola
4eb16290e4 move frontend logic from previous MR to new MR 2016-05-06 10:47:12 +02:00
Valery Sizov
06a4fd1035 css improvements 2015-11-19 01:25:59 +02:00
Dmitriy Zaporozhets
3e97ac2022 Add index on order columns 2015-02-06 10:21:48 -08:00
Dmitriy Zaporozhets
8952fc015f Apply default scope to labels and remove one for notes 2015-02-05 20:29:41 -08:00
Dmitriy Zaporozhets
368e9a0862 Rubocop: Style/CaseIndentation enabled 2015-02-02 21:26:40 -08:00
Dmitriy Zaporozhets
75e903c08b
Fix project snippet comments loading
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-07-02 19:53:41 +03:00
Jacob Vosmaer
bd8b2b7fd9 Default last_fetched_at to 0 for old clients
Users who have not refreshed their browser tab will poll GitLab using
outdated JS. This change makes the server fall back to the old behavior
(send all comments) for old clients, instead of throwing an exception
for old clients.
2014-04-28 16:39:42 +02:00
Jacob Vosmaer
285926918b Serialize last_fetched_at as a string with seconds 2014-04-28 12:42:01 +02:00
Jacob Vosmaer
0b615eb0e2 Filter out old notes in NotesFinder 2014-04-28 12:13:29 +02:00
Jacob Vosmaer
7339464e77 Fail faster on an invalid target_type 2014-04-28 11:55:13 +02:00
Dmitriy Zaporozhets
645e8d4705
Move services for collecting items to Finders
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-02-25 19:15:08 +02:00