Commit 1207153b authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-id-fix-mr-visibility-11-8' into '11-8-stable'

Display the correct number of MRs a user has access to

See merge request gitlab/gitlabhq!2929
parents b001a30f b1bc3b81
...@@ -46,13 +46,6 @@ module Milestoneish ...@@ -46,13 +46,6 @@ module Milestoneish
end end
end end
def merge_requests_visible_to_user(user)
memoize_per_user(user, :merge_requests_visible_to_user) do
MergeRequestsFinder.new(user, {})
.execute.where(milestone_id: milestoneish_id)
end
end
def sorted_issues(user) def sorted_issues(user)
issues_visible_to_user(user).preload_associations.sort_by_attribute('label_priority') issues_visible_to_user(user).preload_associations.sort_by_attribute('label_priority')
end end
...@@ -61,6 +54,13 @@ module Milestoneish ...@@ -61,6 +54,13 @@ module Milestoneish
merge_requests_visible_to_user(user).sort_by_attribute('label_priority') merge_requests_visible_to_user(user).sort_by_attribute('label_priority')
end end
def merge_requests_visible_to_user(user)
memoize_per_user(user, :merge_requests_visible_to_user) do
MergeRequestsFinder.new(user, issues_finder_params)
.execute.where(milestone_id: milestoneish_id)
end
end
def upcoming? def upcoming?
start_date && start_date.future? start_date && start_date.future?
end end
......
...@@ -76,7 +76,7 @@ class ProjectFeature < ActiveRecord::Base ...@@ -76,7 +76,7 @@ class ProjectFeature < ActiveRecord::Base
# This feature might not be behind a feature flag at all, so default to true # This feature might not be behind a feature flag at all, so default to true
return false unless ::Feature.enabled?(feature, user, default_enabled: true) return false unless ::Feature.enabled?(feature, user, default_enabled: true)
get_permission(user, access_level(feature)) get_permission(user, feature)
end end
def access_level(feature) def access_level(feature)
...@@ -134,12 +134,12 @@ class ProjectFeature < ActiveRecord::Base ...@@ -134,12 +134,12 @@ class ProjectFeature < ActiveRecord::Base
(FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")} (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")}
end end
def get_permission(user, level) def get_permission(user, feature)
case level case access_level(feature)
when DISABLED when DISABLED
false false
when PRIVATE when PRIVATE
user && (project.team.member?(user) || user.full_private_access?) team_access?(user, feature)
when ENABLED when ENABLED
true true
when PUBLIC when PUBLIC
...@@ -148,4 +148,11 @@ class ProjectFeature < ActiveRecord::Base ...@@ -148,4 +148,11 @@ class ProjectFeature < ActiveRecord::Base
true true
end end
end end
def team_access?(user, feature)
return unless user
return true if user.full_private_access?
project.team.member?(user, ProjectFeature.required_minimum_access_level(feature))
end
end end
...@@ -464,7 +464,7 @@ class ProjectPolicy < BasePolicy ...@@ -464,7 +464,7 @@ class ProjectPolicy < BasePolicy
when ProjectFeature::DISABLED when ProjectFeature::DISABLED
false false
when ProjectFeature::PRIVATE when ProjectFeature::PRIVATE
guest? || admin? admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
else else
true true
end end
......
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
= milestone_progress_bar(milestone) = milestone_progress_bar(milestone)
= link_to pluralize(milestone.total_issues_count(current_user), 'Issue'), issues_path = link_to pluralize(milestone.total_issues_count(current_user), 'Issue'), issues_path
&middot; &middot;
= link_to pluralize(milestone.merge_requests.size, 'Merge Request'), merge_requests_path = link_to pluralize(milestone.merge_requests_visible_to_user(current_user).size, 'Merge Request'), merge_requests_path
.float-lg-right.light #{milestone.percent_complete(current_user)}% complete .float-lg-right.light #{milestone.percent_complete(current_user)}% complete
.col-sm-2 .col-sm-2
.milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end .milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end
......
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
%li.nav-item %li.nav-item
= link_to '#tab-merge-requests', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do = link_to '#tab-merge-requests', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do
Merge Requests Merge Requests
%span.badge.badge-pill= milestone.merge_requests.size %span.badge.badge-pill= milestone.merge_requests_visible_to_user(current_user).size
- else - else
%li.nav-item %li.nav-item
= link_to '#tab-merge-requests', class: 'nav-link active', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do = link_to '#tab-merge-requests', class: 'nav-link active', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do
......
---
title: Display the correct number of MRs a user has access to
merge_request:
author:
type: security
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment