gitlab-org--gitlab-foss/app/finders
Douwe Maan 79d94b1679 Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000
2016-11-09 12:24:13 +01:00
..
access_requests_finder.rb Use Ability.allowed? instead of current_user.can? in AccessRequestsFinder 2016-09-28 08:46:59 +02:00
branches_finder.rb implements the basic filter functionality 2016-07-19 19:30:10 +01:00
contributed_projects_finder.rb
group_projects_finder.rb Fix groups API to list only user's accessible projects 2016-05-24 18:14:12 -07:00
groups_finder.rb
issuable_finder.rb Merge branch '22481-honour-issue-visibility-for-groups' into 'security' 2016-11-09 12:24:13 +01:00
issues_finder.rb fix issues mr counter 2016-09-20 14:39:15 +01:00
joined_groups_finder.rb
labels_finder.rb Skip authorization check when searching for labels on IssuableFinder 2016-10-31 23:27:49 -02:00
merge_requests_finder.rb fix issues mr counter 2016-09-20 14:39:15 +01:00
milestones_finder.rb
move_to_project_finder.rb Move to project dropdown with infinite scroll for better performance 2016-08-18 15:31:51 +02:00
notes_finder.rb Fix notes on confidential issues through JSON to users without access 2016-06-14 17:51:17 -03:00
personal_projects_finder.rb
pipelines_finder.rb Use PipelinesFinder in Pipelines API 2016-09-07 15:38:03 +02:00
projects_finder.rb Pass project IDs relation to ProjectsFinder instead of using a block 2016-08-15 12:49:31 +02:00
README.md
snippets_finder.rb Project members with guest role can't access confidential issues 2016-06-13 19:32:00 -03:00
tags_finder.rb add specs for tags finder 2016-08-31 19:16:47 +01:00
todos_finder.rb remove Ability.abilities 2016-08-30 11:35:06 -07:00
union_finder.rb

Finders

This type of classes responsible for collection items based on different conditions. To prevent lookup methods in models like this:

class Project
  def issues_for_user_filtered_by(user, filter)
    # A lot of logic not related to project model itself
  end
end

issues = project.issues_for_user_filtered_by(user, params)

Better use this:

issues = IssuesFinder.new(project, user, filter).execute

It will help keep models thiner.