3bf34face4
Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? ⚠️ - Potentially untested 💣 - No test coverage 🚥 - Test coverage of some sort exists (a test failed when error raised) 🚦 - Test coverage of return value (a test failed when nil used) ✅ - Permissions check tested ### Issue lookup with access check Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`] - [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x] ✅ lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`] ### Previous discussions - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031
92 lines
2.1 KiB
Ruby
92 lines
2.1 KiB
Ruby
module Gitlab
|
|
class SearchResults
|
|
attr_reader :current_user, :query
|
|
|
|
# Limit search results by passed projects
|
|
# It allows us to search only for projects user has access to
|
|
attr_reader :limit_projects
|
|
|
|
def initialize(current_user, limit_projects, query)
|
|
@current_user = current_user
|
|
@limit_projects = limit_projects || Project.all
|
|
@query = Shellwords.shellescape(query) if query.present?
|
|
end
|
|
|
|
def objects(scope, page = nil)
|
|
case scope
|
|
when 'projects'
|
|
projects.page(page).per(per_page)
|
|
when 'issues'
|
|
issues.page(page).per(per_page)
|
|
when 'merge_requests'
|
|
merge_requests.page(page).per(per_page)
|
|
when 'milestones'
|
|
milestones.page(page).per(per_page)
|
|
else
|
|
Kaminari.paginate_array([]).page(page).per(per_page)
|
|
end
|
|
end
|
|
|
|
def projects_count
|
|
@projects_count ||= projects.count
|
|
end
|
|
|
|
def issues_count
|
|
@issues_count ||= issues.count
|
|
end
|
|
|
|
def merge_requests_count
|
|
@merge_requests_count ||= merge_requests.count
|
|
end
|
|
|
|
def milestones_count
|
|
@milestones_count ||= milestones.count
|
|
end
|
|
|
|
private
|
|
|
|
def projects
|
|
limit_projects.search(query)
|
|
end
|
|
|
|
def issues
|
|
issues = IssuesFinder.new(current_user).execute.where(project_id: project_ids_relation)
|
|
|
|
if query =~ /#(\d+)\z/
|
|
issues = issues.where(iid: $1)
|
|
else
|
|
issues = issues.full_search(query)
|
|
end
|
|
|
|
issues.order('updated_at DESC')
|
|
end
|
|
|
|
def milestones
|
|
milestones = Milestone.where(project_id: project_ids_relation)
|
|
milestones = milestones.search(query)
|
|
milestones.order('updated_at DESC')
|
|
end
|
|
|
|
def merge_requests
|
|
merge_requests = MergeRequest.in_projects(project_ids_relation)
|
|
if query =~ /[#!](\d+)\z/
|
|
merge_requests = merge_requests.where(iid: $1)
|
|
else
|
|
merge_requests = merge_requests.full_search(query)
|
|
end
|
|
merge_requests.order('updated_at DESC')
|
|
end
|
|
|
|
def default_scope
|
|
'projects'
|
|
end
|
|
|
|
def per_page
|
|
20
|
|
end
|
|
|
|
def project_ids_relation
|
|
limit_projects.select(:id).reorder(nil)
|
|
end
|
|
end
|
|
end
|