79d94b1679
Honour issue and merge request visibility in their respective finders This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private". Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481 See merge request !2000 |
||
|---|---|---|
| .. | ||
| access_requests_finder.rb | ||
| branches_finder.rb | ||
| contributed_projects_finder.rb | ||
| group_projects_finder.rb | ||
| groups_finder.rb | ||
| issuable_finder.rb | ||
| issues_finder.rb | ||
| joined_groups_finder.rb | ||
| labels_finder.rb | ||
| merge_requests_finder.rb | ||
| milestones_finder.rb | ||
| move_to_project_finder.rb | ||
| notes_finder.rb | ||
| personal_projects_finder.rb | ||
| pipelines_finder.rb | ||
| projects_finder.rb | ||
| README.md | ||
| snippets_finder.rb | ||
| tags_finder.rb | ||
| todos_finder.rb | ||
| union_finder.rb | ||
Finders
This type of classes responsible for collection items based on different conditions. To prevent lookup methods in models like this:
class Project
def issues_for_user_filtered_by(user, filter)
# A lot of logic not related to project model itself
end
end
issues = project.issues_for_user_filtered_by(user, params)
Better use this:
issues = IssuesFinder.new(project, user, filter).execute
It will help keep models thiner.