gitlab-org--gitlab-foss/app/finders
Douwe Maan 3bf34face4 Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'
Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠️ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
 - Permissions check tested

### Issue lookup with access check

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x]  app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x]  lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x]  lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x]  lib/gitlab/search_results.rb:53 [`visible_to_user`]

### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
2016-11-28 21:26:23 -03:00
..
access_requests_finder.rb Use Ability.allowed? instead of current_user.can? in AccessRequestsFinder 2016-09-28 08:46:59 +02:00
branches_finder.rb implements the basic filter functionality 2016-07-19 19:30:10 +01:00
contributed_projects_finder.rb Tweaks, refactoring, and specs 2016-03-20 21:04:07 +01:00
group_projects_finder.rb Fix groups API to list only user's accessible projects 2016-05-24 18:14:12 -07:00
groups_finder.rb Tweaks, refactoring, and specs 2016-03-20 21:04:07 +01:00
issuable_finder.rb Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security' 2016-11-28 21:26:23 -03:00
issues_finder.rb fix issues mr counter 2016-09-20 14:39:15 +01:00
joined_groups_finder.rb Address feedback 2016-03-22 00:09:20 +01:00
labels_finder.rb Limit labels returned for a specific project as an administrator 2016-11-16 15:04:51 +02:00
merge_requests_finder.rb fix issues mr counter 2016-09-20 14:39:15 +01:00
milestones_finder.rb sort milestones by due_date 2015-12-03 08:53:34 -06:00
move_to_project_finder.rb Move to project dropdown with infinite scroll for better performance 2016-08-18 15:31:51 +02:00
notes_finder.rb Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security' 2016-11-28 21:26:23 -03:00
personal_projects_finder.rb Tweaks, refactoring, and specs 2016-03-20 21:04:07 +01:00
pipelines_finder.rb Use PipelinesFinder in Pipelines API 2016-09-07 15:38:03 +02:00
projects_finder.rb Pass project IDs relation to ProjectsFinder instead of using a block 2016-08-15 12:49:31 +02:00
README.md Set milestone on new issue when creating issue from index with milestone filter active. 2015-05-27 14:22:11 +02:00
snippets_finder.rb Project members with guest role can't access confidential issues 2016-06-13 19:32:00 -03:00
tags_finder.rb add specs for tags finder 2016-08-31 19:16:47 +01:00
todos_finder.rb remove Ability.abilities 2016-08-30 11:35:06 -07:00
union_finder.rb Tweaks, refactoring, and specs 2016-03-20 21:04:07 +01:00

Finders

This type of classes responsible for collection items based on different conditions. To prevent lookup methods in models like this:

class Project
  def issues_for_user_filtered_by(user, filter)
    # A lot of logic not related to project model itself
  end
end

issues = project.issues_for_user_filtered_by(user, params)

Better use this:

issues = IssuesFinder.new(project, user, filter).execute

It will help keep models thiner.