2018-12-13 13:39:08 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-24 12:49:21 +05:30
|
|
|
module Banzai
|
|
|
|
# Class for removing Markdown references a certain user is not allowed to
|
|
|
|
# view.
|
2019-09-30 21:07:59 +05:30
|
|
|
class ReferenceRedactor
|
2018-05-09 12:01:36 +05:30
|
|
|
attr_reader :context
|
2016-08-24 12:49:21 +05:30
|
|
|
|
2018-05-09 12:01:36 +05:30
|
|
|
# context - An instance of `Banzai::RenderContext`.
|
|
|
|
def initialize(context)
|
|
|
|
@context = context
|
|
|
|
end
|
|
|
|
|
|
|
|
def user
|
|
|
|
context.current_user
|
2016-08-24 12:49:21 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
# Redacts the references in the given Array of documents.
|
|
|
|
#
|
|
|
|
# This method modifies the given documents in-place.
|
|
|
|
#
|
|
|
|
# documents - A list of HTML documents containing references to redact.
|
|
|
|
#
|
|
|
|
# Returns the documents passed as the first argument.
|
|
|
|
def redact(documents)
|
2018-03-27 19:54:05 +05:30
|
|
|
redact_cross_project_references(documents) unless can_read_cross_project?
|
2016-08-24 12:49:21 +05:30
|
|
|
|
2018-03-27 19:54:05 +05:30
|
|
|
all_document_nodes = document_nodes(documents)
|
2016-08-24 12:49:21 +05:30
|
|
|
redact_document_nodes(all_document_nodes)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Redacts the given node documents
|
|
|
|
#
|
|
|
|
# data - An Array of a Hashes mapping an HTML document to nodes to redact.
|
|
|
|
def redact_document_nodes(all_document_nodes)
|
2019-10-12 21:52:04 +05:30
|
|
|
all_nodes = all_document_nodes.flat_map { |x| x[:nodes] }
|
2016-08-24 12:49:21 +05:30
|
|
|
visible = nodes_visible_to_user(all_nodes)
|
|
|
|
metadata = []
|
|
|
|
|
|
|
|
all_document_nodes.each do |entry|
|
|
|
|
nodes_for_document = entry[:nodes]
|
2018-11-08 19:23:39 +05:30
|
|
|
|
|
|
|
doc_data = {
|
2022-08-27 11:52:29 +05:30
|
|
|
document: entry[:document],
|
|
|
|
total_reference_count: nodes_for_document.count,
|
2018-11-08 19:23:39 +05:30
|
|
|
visible_reference_count: nodes_for_document.count
|
|
|
|
}
|
|
|
|
|
2016-08-24 12:49:21 +05:30
|
|
|
metadata << doc_data
|
|
|
|
|
|
|
|
nodes_for_document.each do |node|
|
|
|
|
next if visible.include?(node)
|
|
|
|
|
|
|
|
doc_data[:visible_reference_count] -= 1
|
2018-03-27 19:54:05 +05:30
|
|
|
redacted_content = redacted_node_content(node)
|
|
|
|
node.replace(redacted_content)
|
2016-08-24 12:49:21 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
metadata
|
|
|
|
end
|
|
|
|
|
2018-03-27 19:54:05 +05:30
|
|
|
# Return redacted content of given node as either the original link (<a> tag),
|
|
|
|
# the original content (text), or the inner HTML of the node.
|
|
|
|
#
|
|
|
|
def redacted_node_content(node)
|
|
|
|
original_content = node.attr('data-original')
|
2022-04-01 21:47:47 +05:30
|
|
|
original_content = CGI.escape_html(original_content) if original_content
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
# Build the raw <a> tag just with a link as href and content if
|
|
|
|
# it's originally a link pattern. We shouldn't return a plain text href.
|
|
|
|
original_link =
|
2022-04-01 21:47:47 +05:30
|
|
|
if node.attr('data-link-reference') == 'true'
|
2019-06-05 12:25:43 +05:30
|
|
|
href = node.attr('href')
|
|
|
|
|
2022-04-01 21:47:47 +05:30
|
|
|
%(<a href="#{href}">#{original_content}</a>)
|
2018-03-27 19:54:05 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
# The reference should be replaced by the original link's content,
|
|
|
|
# which is not always the same as the rendered one.
|
|
|
|
original_link || original_content || node.inner_html
|
|
|
|
end
|
|
|
|
|
|
|
|
def redact_cross_project_references(documents)
|
2018-05-09 12:01:36 +05:30
|
|
|
extractor = Banzai::IssuableExtractor.new(context)
|
2018-03-27 19:54:05 +05:30
|
|
|
issuables = extractor.extract(documents)
|
|
|
|
|
|
|
|
issuables.each do |node, issuable|
|
2018-05-09 12:01:36 +05:30
|
|
|
next if issuable.project == context.project_for_node(node)
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
node['class'] = node['class'].gsub('has-tooltip', '')
|
|
|
|
node['title'] = nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-08-24 12:49:21 +05:30
|
|
|
# Returns the nodes visible to the current user.
|
|
|
|
#
|
|
|
|
# nodes - The input nodes to check.
|
|
|
|
#
|
|
|
|
# Returns a new Array containing the visible nodes.
|
|
|
|
def nodes_visible_to_user(nodes)
|
|
|
|
per_type = Hash.new { |h, k| h[k] = [] }
|
|
|
|
visible = Set.new
|
|
|
|
|
|
|
|
nodes.each do |node|
|
|
|
|
per_type[node.attr('data-reference-type')] << node
|
|
|
|
end
|
|
|
|
|
|
|
|
per_type.each do |type, nodes|
|
2018-05-09 12:01:36 +05:30
|
|
|
parser = Banzai::ReferenceParser[type].new(context)
|
2016-08-24 12:49:21 +05:30
|
|
|
|
|
|
|
visible.merge(parser.nodes_visible_to_user(user, nodes))
|
2021-01-03 14:25:43 +05:30
|
|
|
rescue Banzai::ReferenceParser::InvalidReferenceType
|
2016-08-24 12:49:21 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
visible
|
|
|
|
end
|
|
|
|
|
|
|
|
def document_nodes(documents)
|
|
|
|
documents.map do |document|
|
|
|
|
{ document: document, nodes: Querying.css(document, 'a.gfm[data-reference-type]') }
|
|
|
|
end
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def can_read_cross_project?
|
|
|
|
Ability.allowed?(user, :read_cross_project)
|
|
|
|
end
|
2016-08-24 12:49:21 +05:30
|
|
|
end
|
|
|
|
end
|