kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/app/controllers/dashboard/projects_controller.rb
Cindy Pallares fe5f75930e
Merge branch 'security-fix-pat-web-access' into 'master' 
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"

See merge request gitlab/gitlabhq!2583
2018-11-28 19:13:59 -05:00

75 lines
2 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class Dashboard::ProjectsController < Dashboard::ApplicationController
include ParamsBackwardCompatibility
include RendersMemberAccess
prepend_before_action(only: [:index]) { authenticate_sessionless_user!(:rss) }
before_action :set_non_archived_param
before_action :default_sorting
skip_cross_project_access_check :index, :starred
def index
@projects = load_projects(params.merge(non_public: true))
respond_to do |format|
format.html
format.atom do
load_events
render layout: 'xml.atom'
end
format.json do
render json: {
html: view_to_html_string("dashboard/projects/_projects", locals: { projects: @projects })
}
end
end
end
# rubocop: disable CodeReuse/ActiveRecord
def starred
@projects = load_projects(params.merge(starred: true))
.includes(:forked_from_project, :tags)
@groups = []
respond_to do |format|
format.html
format.json do
render json: {
html: view_to_html_string("dashboard/projects/_projects", locals: { projects: @projects })
}
end
end
end
# rubocop: enable CodeReuse/ActiveRecord
private
def default_sorting
params[:sort] ||= 'latest_activity_desc'
@sort = params[:sort]
end
# rubocop: disable CodeReuse/ActiveRecord
def load_projects(finder_params)
projects = ProjectsFinder
.new(params: finder_params, current_user: current_user)
.execute
.includes(:route, :creator, namespace: [:route, :owner])
.page(finder_params[:page])
prepare_projects_for_rendering(projects)
end
# rubocop: enable CodeReuse/ActiveRecord
def load_events
projects = load_projects(params.merge(non_public: true))
@events = EventCollection
.new(projects, offset: params[:offset].to_i, filter: event_filter)
.to_a
Events::RenderService.new(current_user).execute(@events, atom_request: request.format.atom?)
end
end
View git blame Copy permalink