Refresh patches

This commit is contained in:
Pirate Praveen 2019-12-04 21:09:36 +05:30
parent 0de7cdbb9c
commit e261f2f0ba
20 changed files with 74 additions and 419 deletions

View file

@ -49,9 +49,9 @@ gitlab Gemfile
+gem 'rack-oauth2', '~> 1.9', '>= 1.9.3'
+gem 'jwt', '~> 2.1'
# Spam and anti-bot protection
gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails'
@@ -54,38 +54,38 @@
# Kerberos authentication. EE-only
gem 'gssapi', group: :kerberos
@@ -57,41 +57,41 @@
gem 'invisible_captcha', '~> 0.12.1'
# Two-factor authentication
@ -93,16 +93,19 @@ gitlab Gemfile
+gem 'rack-cors', '~> 1.0', require: 'rack/cors'
# GraphQL API
-gem 'graphql', '~> 1.8.0'
-gem 'graphql', '~> 1.9.11'
+gem 'graphql', '~> 1.9', '>= 1.9.11'
# NOTE: graphiql-rails v1.5+ doesn't work: https://gitlab.com/gitlab-org/gitlab-ce/issues/67293
# TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 is released:
# https://gitlab.com/gitlab-org/gitlab-ce/issues/67263
-gem 'graphiql-rails', '~> 1.4.10'
-gem 'apollo_upload_server', '~> 2.0.0.beta3'
+gem 'graphql', '~> 1.8'
+gem 'graphiql-rails', '~> 1.4', '>= 1.4.10'
+gem 'apollo_upload_server', '>= 2.0.0.beta3'
gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]
# Disable strong_params so that Mash does not respond to :permitted?
@@ -95,7 +95,7 @@
@@ -101,7 +101,7 @@
gem 'kaminari', '~> 1.0'
# HAML
@ -111,22 +114,26 @@ gitlab Gemfile
# Files attachments
gem 'carrierwave', '~> 1.3'
@@ -105,7 +105,7 @@
@@ -111,7 +111,7 @@
gem 'fog-aws', '~> 3.5'
# Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
# Also see config/initializers/fog_core_patch.rb.
-gem 'fog-core', '= 2.1.0'
+gem 'fog-core', '= 2.1'
gem 'fog-google', '~> 1.8'
gem 'fog-google', '~> 1.9'
gem 'fog-local', '~> 0.6'
gem 'fog-openstack', '~> 1.0'
@@ -119,39 +119,39 @@
@@ -125,7 +125,7 @@
gem 'unf', '~> 0.1.4'
# Seed data
-gem 'seed-fu', '~> 2.3.7'
+gem 'seed-fu', '~> 2.3', '>= 2.3.7'
# Search
gem 'elasticsearch-model', '~> 0.1.9'
@@ -136,35 +136,35 @@
# Markdown and HTML processing
gem 'html-pipeline', '~> 2.8'
-gem 'deckar01-task_list', '2.2.0'
@ -171,7 +178,7 @@ gitlab Gemfile
gem 'unicorn-worker-killer', '~> 0.4.4'
end
@@ -168,13 +168,13 @@
@@ -181,13 +181,13 @@
gem 'acts-as-taggable-on', '~> 6.0'
# Background jobs
@ -180,7 +187,7 @@ gitlab Gemfile
gem 'sidekiq-cron', '~> 1.0'
-gem 'redis-namespace', '~> 1.6.0'
+gem 'redis-namespace', '~> 1.6'
gem 'gitlab-sidekiq-fetcher', '0.5.1', require: 'sidekiq-reliable-fetch'
gem 'gitlab-sidekiq-fetcher', '0.5.2', require: 'sidekiq-reliable-fetch'
# Cron Parser
-gem 'fugit', '~> 1.2.1'
@ -188,7 +195,7 @@ gitlab Gemfile
# HTTP requests
gem 'httparty', '~> 0.16.4'
@@ -186,14 +186,14 @@
@@ -199,14 +199,14 @@
gem 'ruby-progressbar'
# GitLab settings
@ -206,7 +213,7 @@ gitlab Gemfile
# Export Ruby Regex to Javascript
gem 'js_regex', '~> 3.1'
@@ -206,13 +206,13 @@
@@ -219,13 +219,13 @@
gem 'connection_pool', '~> 2.0'
# Redis session store
@ -221,8 +228,8 @@ gitlab Gemfile
+gem 'hipchat', '~> 1.5'
# Jira integration
gem 'jira-ruby', '~> 1.4'
@@ -221,7 +221,7 @@
gem 'jira-ruby', '~> 1.7'
@@ -235,7 +235,7 @@
gem 'flowdock', '~> 0.7'
# Slack integration
@ -231,12 +238,12 @@ gitlab Gemfile
# Hangouts Chat integration
gem 'hangouts-chat', '~> 0.0.5'
@@ -233,11 +233,11 @@
@@ -247,11 +247,11 @@
gem 'ruby-fogbugz', '~> 0.2.1'
# Kubernetes integration
-gem 'kubeclient', '~> 4.2.2'
+gem 'kubeclient', '~> 4.2', '>= 4.2.2'
-gem 'kubeclient', '~> 4.4.0'
+gem 'kubeclient', '~> 4.4'
# Sanitize user input
gem 'sanitize', '~> 4.6'
@ -245,7 +252,7 @@ gitlab Gemfile
# Sanitizes SVG input
gem 'loofah', '~> 2.2'
@@ -246,10 +246,10 @@
@@ -260,10 +260,10 @@
gem 'licensee', '~> 8.9'
# Protect against bruteforcing
@ -258,7 +265,7 @@ gitlab Gemfile
# Detect and convert string character encoding
gem 'charlock_holmes', '~> 0.7.5'
@@ -267,21 +267,21 @@
@@ -281,10 +281,10 @@
gem 'webpack-rails', '~> 0.9.10'
gem 'rack-proxy', '~> 0.6.0'
@ -272,11 +279,7 @@ gitlab Gemfile
gem 'font-awesome-rails', '~> 4.7'
gem 'gemojione', '~> 3.3'
gem 'gon', '~> 6.2'
gem 'request_store', '~> 1.3'
-gem 'virtus', '~> 1.0.1'
+gem 'virtus', '~> 1.0', '>=1.0.1'
gem 'base32', '~> 0.3.0'
@@ -296,7 +296,7 @@
# Sentry integration
gem 'sentry-raven', '~> 2.9'
@ -284,8 +287,8 @@ gitlab Gemfile
+gem 'premailer-rails', '~> 1.9', '>=1.9.7'
# LabKit: Tracing and Correlation
gem 'gitlab-labkit', '~> 0.4.2'
@@ -289,14 +289,14 @@
gem 'gitlab-labkit', '~> 0.5'
@@ -304,11 +304,11 @@
# I18n
gem 'ruby_parser', '~> 3.8', require: false
gem 'rails-i18n', '~> 5.1'
@ -299,12 +302,8 @@ gitlab Gemfile
+gem 'batch-loader', '~> 1.4'
# Perf bar
-gem 'peek', '~> 1.0.1'
+gem 'peek', '~> 1.0', '>= 1.0.1'
# Snowplow events tracking
gem 'snowplow-tracker', '~> 0.6.1'
@@ -330,39 +330,39 @@
# https://gitlab.com/gitlab-org/gitlab-ee/issues/13996
@@ -347,62 +347,62 @@
end
group :development, :test do
@ -357,16 +356,14 @@ gitlab Gemfile
gem 'scss_lint', '~> 0.56.0', require: false
gem 'haml_lint', '~> 0.31.0', require: false
@@ -370,7 +370,7 @@
gem 'simplecov', '~> 0.16.1', require: false
gem 'bundler-audit', '~> 0.5.0', require: false
gem 'mdl', '~> 0.5.0', require: false
- gem 'benchmark-ips', '~> 2.3.0', require: false
+ gem 'benchmark-ips', '~> 2.3', require: false
gem 'license_finder', '~> 5.4', require: false
gem 'knapsack', '~> 1.17'
@@ -379,16 +379,16 @@
gem 'stackprof', '~> 0.2.10', require: false
@ -388,7 +385,7 @@ gitlab Gemfile
gem 'rails-controller-testing'
gem 'concurrent-ruby', '~> 1.1'
gem 'test-prof', '~> 0.2.5'
@@ -412,11 +412,11 @@
@@ -426,11 +426,11 @@
gem 'oauth2', '~> 1.4'
# Health check
@ -401,9 +398,9 @@ gitlab Gemfile
+gem 'vmstat', '~> 2.3'
+gem 'sys-filesystem', '~> 1.1', '>= 1.1.6'
# SSH host key support
gem 'net-ssh', '~> 5.2'
@@ -429,13 +429,13 @@
# NTP client
gem 'net-ntp'
@@ -446,13 +446,13 @@
end
# Gitaly GRPC protocol definitions

View file

@ -2,15 +2,15 @@ Bundler will fail when it can't find these locally
--- a/Gemfile
+++ b/Gemfile
@@ -86,7 +86,6 @@
gem 'graphql', '~> 1.8'
@@ -92,7 +92,6 @@
# https://gitlab.com/gitlab-org/gitlab-ce/issues/67263
gem 'graphiql-rails', '~> 1.4', '>= 1.4.10'
gem 'apollo_upload_server', '>= 2.0.0.beta3'
-gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]
# Disable strong_params so that Mash does not respond to :permitted?
gem 'hashie-forbidden_attributes'
@@ -291,7 +290,6 @@
@@ -306,7 +305,6 @@
gem 'rails-i18n', '~> 5.1'
gem 'gettext_i18n_rails', '~> 1.8'
gem 'gettext_i18n_rails_js', '~> 1.3'
@ -18,13 +18,14 @@ Bundler will fail when it can't find these locally
gem 'batch-loader', '~> 1.4'
@@ -314,21 +312,6 @@
@@ -330,22 +328,6 @@
gem 'raindrops', '~> 0.18'
end
-group :development do
- gem 'foreman', '~> 0.84.0'
- gem 'brakeman', '~> 4.2', require: false
- gem 'danger', '~> 6.0', require: false
-
- gem 'letter_opener_web', '~> 1.3.4'
- gem 'rblineprof', '~> 0.3.6', platform: :mri, require: false

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -312,7 +312,7 @@
@@ -328,7 +328,7 @@
gem 'raindrops', '~> 0.18'
end
@ -9,7 +9,7 @@
gem 'bullet', '~> 5.5', require: !!ENV['ENABLE_BULLET']
gem 'pry-byebug', '~> 3.5', '>= 3.5.1', platform: :mri
gem 'pry-rails', '~> 0.3.4'
@@ -365,9 +365,7 @@
@@ -378,9 +378,7 @@
gem 'simple_po_parser', '~> 1.1', '>= 1.1.2', require: false
gem 'timecop', '~> 0.8.0'

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -176,7 +176,7 @@
@@ -189,7 +189,7 @@
gem 'fugit', '~> 1.2', '>= 1.2.1'
# HTTP requests

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -123,7 +123,6 @@
@@ -136,7 +136,6 @@
# Markdown and HTML processing
gem 'html-pipeline', '~> 2.8'
gem 'deckar01-task_list', '2.2'

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -153,12 +153,6 @@
@@ -166,12 +166,6 @@
gem 'unicorn-worker-killer', '~> 0.4.4'
end

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -306,7 +306,6 @@
@@ -322,7 +322,6 @@
end
if ENV["INCLUDE_TEST_DEPENDS"] == "true"

View file

@ -1,6 +1,6 @@
--- a/Gemfile
+++ b/Gemfile
@@ -293,7 +293,8 @@
@@ -309,7 +309,8 @@
gem 'snowplow-tracker', '~> 0.6.1'
# Memory benchmarks

View file

@ -1,7 +1,7 @@
--- a/Gemfile
+++ b/Gemfile
@@ -290,7 +290,7 @@
gem 'peek', '~> 1.0', '>= 1.0.1'
@@ -306,7 +306,7 @@
gem 'gitlab-peek', '~> 0.0.1', require: 'peek'
# Snowplow events tracking
-gem 'snowplow-tracker', '~> 0.6.1'

View file

@ -1,11 +0,0 @@
--- a/Gemfile
+++ b/Gemfile
@@ -276,7 +276,7 @@
gem 'premailer-rails', '~> 1.9', '>=1.9.7'
# LabKit: Tracing and Correlation
-gem 'gitlab-labkit', '~> 0.4.2'
+gem 'gitlab-labkit', '~> 0.5'
# I18n
gem 'ruby_parser', '~> 3.8', require: false

View file

@ -1,10 +1,10 @@
--- a/package.json
+++ b/package.json
@@ -145,60 +145,6 @@
@@ -147,62 +147,7 @@
"xterm": "^3.5.0"
},
"devDependencies": {
- "@babel/plugin-transform-modules-commonjs": "^7.2.0",
- "@babel/plugin-transform-modules-commonjs": "^7.5.0",
- "@gitlab/eslint-config": "^1.6.0",
- "@gitlab/eslint-plugin-i18n": "^1.1.0",
- "@gitlab/eslint-plugin-vue-i18n": "^1.2.0",
@ -21,7 +21,6 @@
- "eslint": "~5.9.0",
- "eslint-import-resolver-jest": "^2.1.1",
- "eslint-import-resolver-webpack": "^0.10.1",
- "eslint-plugin-html": "5.0.0",
- "eslint-plugin-import": "^2.14.0",
- "eslint-plugin-jasmine": "^2.10.1",
- "eslint-plugin-jest": "^22.3.0",
@ -45,6 +44,7 @@
- "karma-mocha-reporter": "^2.2.5",
- "karma-sourcemap-loader": "^0.3.7",
- "karma-webpack": "^4.0.2",
- "markdownlint-cli": "0.18.0",
- "md5": "^2.2.1",
- "node-sass": "^4.12.0",
- "nodemon": "^1.18.9",
@ -55,9 +55,12 @@
- "stylelint": "^10.1.0",
- "stylelint-config-recommended": "^2.2.0",
- "stylelint-scss": "^3.9.2",
- "timezone-mock": "^1.0.8",
- "vue-jest": "^4.0.0-beta.2",
- "webpack-dev-server": "^3.1.14",
- "yarn-deduplicate": "^1.1.1"
},
- },
+ },
"resolutions": {
"vue-jest/ts-jest": "24.0.0"
},

View file

@ -1,6 +1,6 @@
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -126,9 +126,14 @@
@@ -127,9 +127,14 @@
resolve: {
extensions: ['.js', '.gql', '.graphql'],

View file

@ -3,7 +3,7 @@ Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
--- a/package.json
+++ b/package.json
@@ -85,6 +85,7 @@
@@ -86,6 +86,7 @@
"fuzzaldrin-plus": "^0.5.0",
"glob": "^7.1.2",
"graphql": "^14.0.2",

View file

@ -1,12 +1,12 @@
--- a/package.json
+++ b/package.json
@@ -121,28 +121,17 @@
@@ -122,29 +122,19 @@
"style-loader": "^0.23.1",
"svg4everybody": "2.1.9",
"three": "^0.84.0",
- "three-orbit-controls": "^82.1.0",
- "three-stl-loader": "^1.0.4",
- "timeago.js": "^3.0.2",
"timeago.js": "^3.0.2",
"tiptap": "^1.8.0",
"tiptap-commands": "^1.4.0",
"tiptap-extensions": "^1.8.0",
@ -20,6 +20,7 @@
"vue-router": "^3.0.2",
"vue-template-compiler": "^2.6.10",
"vue-virtual-scroll-list": "^1.3.1",
"vuedraggable": "^2.23.0",
"vuex": "^3.1.0",
- "webpack": "^4.29.0",
- "webpack-bundle-analyzer": "^3.3.2",
@ -39,7 +40,7 @@
const CopyWebpackPlugin = require('copy-webpack-plugin');
const ROOT_PATH = '/usr/share/gitlab';
@@ -126,12 +125,12 @@
@@ -127,12 +126,12 @@
resolve: {
extensions: ['.js', '.gql', '.graphql'],
@ -54,7 +55,7 @@
},
module: {
@@ -338,16 +337,6 @@
@@ -370,16 +369,6 @@
// enable HMR only in webpack-dev-server
DEV_SERVER_LIVERELOAD && new webpack.HotModuleReplacementPlugin(),
@ -71,7 +72,7 @@
new webpack.DefinePlugin({
// This one is used to define window.gon.ee and other things properly in tests:
'process.env.IS_GITLAB_EE': JSON.stringify(IS_EE),
@@ -373,6 +362,7 @@
@@ -405,6 +394,7 @@
node: {
fs: 'empty', // sqljs requires fs

View file

@ -1,10 +1,12 @@
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -1,5 +1,5 @@
@@ -1,6 +1,6 @@
-require_relative '../settings'
-require_relative '../object_store_settings'
-require_relative '../smime_signature_settings'
+require '/usr/share/gitlab/config/settings'
+require '/usr/share/gitlab/config/object_store_settings'
+require '/usr/share/gitlab/config/smime_signature_settings'
# Default settings
Settings['ldap'] ||= Settingslogic.new({})

View file

@ -5,7 +5,7 @@ Last-Update: 2019-11-19
--- a/Gemfile
+++ b/Gemfile
@@ -61,7 +61,7 @@
@@ -64,7 +64,7 @@
# GitLab Pages
gem 'validates_hostname', '~> 1.0', '>= 1.0.6'
@ -16,7 +16,7 @@ Last-Update: 2019-11-19
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -845,7 +845,7 @@
@@ -901,7 +901,7 @@
sexp_processor (~> 4.9)
rubyntlm (0.6.2)
rubypants (0.2.0)
@ -25,8 +25,8 @@ Last-Update: 2019-11-19
rugged (0.28.3.1)
safe_yaml (1.0.4)
sanitize (4.6.6)
@@ -1220,7 +1220,7 @@
ruby-prof (~> 0.17.0)
@@ -1291,7 +1291,7 @@
ruby-prof (~> 1.0.0)
ruby-progressbar
ruby_parser (~> 3.8)
- rubyzip (~> 1.2.2)

View file

@ -10,7 +10,7 @@ Subject: [PATCH 1/2] Update d3 node module 4.13 -> 5.12
--- a/package.json
+++ b/package.json
@@ -61,7 +61,7 @@
@@ -62,7 +62,7 @@
"core-js": "^3.1.3",
"cropper": "^2.3.0",
"css-loader": "^1.0.0",

View file

@ -1,154 +0,0 @@
From 5bdfcaa1c268aa475a11480a0ae33691f73a1a96 Mon Sep 17 00:00:00 2001
From: Brandon Labuschagne <blabuschagne@gitlab.com>
Date: Fri, 15 Nov 2019 14:39:29 +0000
Subject: [PATCH 1/2] Ensure that summary items remain aligned
Default number of items is 3. If this is not the case,
then increase the column width of the summary items
to cater for 2 items plus the date filter.
---
.../javascripts/cycle_analytics/cycle_analytics_bundle.js | 6 ++++++
app/views/projects/cycle_analytics/show.html.haml | 4 ++--
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
+++ b/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
@@ -56,10 +56,16 @@
service: this.createCycleAnalyticsService(cycleAnalyticsEl.dataset.requestPath),
};
},
+ defaultNumberOfSummaryItems: 3,
computed: {
currentStage() {
return this.store.currentActiveStage();
},
+ summaryTableColumnClass() {
+ return this.state.summary.length === this.$options.defaultNumberOfSummaryItems
+ ? 'col-sm-3'
+ : 'col-sm-4';
+ },
},
created() {
// Conditional check placed here to prevent this method from being called on the
--- a/app/views/projects/cycle_analytics/show.html.haml
+++ b/app/views/projects/cycle_analytics/show.html.haml
@@ -14,10 +14,10 @@
.content-block
.container-fluid
.row
- .col-sm-3.col-12.column{ "v-for" => "item in state.summary" }
+ .col-12.column{ "v-for" => "item in state.summary", ":class" => "summaryTableColumnClass" }
%h3.header {{ item.value }}
%p.text {{ item.title }}
- .col-sm-3.col-12.column
+ .col-12.column{ ":class" => "summaryTableColumnClass" }
.dropdown.inline.js-ca-dropdown
%button.dropdown-menu-toggle{ "data-toggle" => "dropdown", :type => "button" }
%span.dropdown-label {{ n__('Last %d day', 'Last %d days', 30) }}
--- /dev/null
+++ b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Hide commit counts from guest users in Cycle Analytics.
+merge_request:
+author:
+type: security
--- a/lib/gitlab/cycle_analytics/stage_summary.rb
+++ b/lib/gitlab/cycle_analytics/stage_summary.rb
@@ -10,13 +10,29 @@
end
def data
- [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)),
- serialize(Summary::Commit.new(project: @project, from: @from)),
- serialize(Summary::Deploy.new(project: @project, from: @from))]
+ summary = [issue_stats]
+ summary << commit_stats if user_has_sufficient_access?
+ summary << deploy_stats
end
private
+ def issue_stats
+ serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
+ end
+
+ def commit_stats
+ serialize(Summary::Commit.new(project: @project, from: @from))
+ end
+
+ def deploy_stats
+ serialize(Summary::Deploy.new(project: @project, from: @from))
+ end
+
+ def user_has_sufficient_access?
+ @project.team.member?(@current_user, Gitlab::Access::REPORTER)
+ end
+
def serialize(summary_object)
AnalyticsSummarySerializer.new.represent(summary_object)
end
--- a/spec/features/cycle_analytics_spec.rb
+++ b/spec/features/cycle_analytics_spec.rb
@@ -108,6 +108,10 @@
wait_for_requests
end
+ it 'does not show the commit stats' do
+ expect(page).to have_no_selector(:xpath, commits_counter_selector)
+ end
+
it 'needs permissions to see restricted stages' do
expect(find('.stage-events')).to have_content(issue.title)
@@ -123,8 +127,12 @@
find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3")
end
+ def commits_counter_selector
+ "//p[contains(text(),'Commits')]/preceding-sibling::h3"
+ end
+
def commits_counter
- find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3")
+ find(:xpath, commits_counter_selector)
end
def deploys_counter
--- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
@@ -8,6 +8,10 @@
let(:user) { create(:user, :admin) }
subject { described_class.new(project, from: Time.now, current_user: user).data }
+ before do
+ project.add_maintainer(user)
+ end
+
describe "#new_issues" do
it "finds the number of issues created after the 'from date'" do
Timecop.freeze(5.days.ago) { create(:issue, project: project) }
@@ -42,6 +46,23 @@
expect(subject.second[:value]).to eq(100)
end
+
+ context 'when a guest user is signed in' do
+ let(:guest_user) { create(:user) }
+
+ before do
+ project.add_guest(guest_user)
+ end
+
+ it 'does not include commit stats' do
+ data = described_class.new(project, from: from, current_user: guest_user).data
+ expect(includes_commits?(data)).to be_falsy
+ end
+
+ def includes_commits?(data)
+ data.any? { |h| h["title"] == 'Commits' }
+ end
+ end
end
describe "#deploys" do

View file

@ -1,181 +0,0 @@
From debb36496b4805beae28262fbb24a692018178e2 Mon Sep 17 00:00:00 2001
From: Kerri Miller <kerrizor@kerrizor.com>
Date: Fri, 25 Oct 2019 07:46:40 -0500
Subject: [PATCH] Restrict branches visible to guests in Issue feed
Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.
---
app/models/note.rb | 15 ++++-
...er-related-branches-from-activity-feed.yml | 6 ++
.../projects/issues_controller_spec.rb | 37 +++++++++++
spec/models/note_spec.rb | 64 +++++++++++++++++++
4 files changed, 121 insertions(+), 1 deletion(-)
create mode 100644 changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -40,6 +40,10 @@
redact_field :note
+ TYPES_RESTRICTED_BY_ABILITY = {
+ branch: :download_code
+ }.freeze
+
# Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
# See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10392/diffs#note_28719102
alias_attribute :last_edited_at, :updated_at
@@ -333,7 +337,7 @@
end
def visible_for?(user)
- !cross_reference_not_visible_for?(user)
+ !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
end
def award_emoji?
@@ -485,6 +489,15 @@
private
+ def system_note_viewable_by?(user)
+ return true unless system_note_metadata
+
+ restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym]
+ return Ability.allowed?(user, restriction, project) if restriction
+
+ true
+ end
+
def keep_around_commit
project.repository.keep_around(self.commit_id)
end
--- /dev/null
+++ b/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml
@@ -0,0 +1,6 @@
+---
+title: Remove notes regarding Related Branches from Issue activity feeds for guest
+ users
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -1343,6 +1343,43 @@
expect { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }.not_to exceed_query_limit(control_count)
end
end
+
+ context 'private project' do
+ let!(:branch_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
+ let!(:commit_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
+ let!(:branch_note_meta) { create(:system_note_metadata, note: branch_note, action: "branch") }
+ let!(:commit_note_meta) { create(:system_note_metadata, note: commit_note, action: "commit") }
+
+ context 'user is allowed access' do
+ before do
+ project.add_user(user, :maintainer)
+ end
+
+ it 'displays all available notes' do
+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
+
+ expect(json_response.length).to eq(3)
+ end
+ end
+
+ context 'user is a guest' do
+ let(:json_response_note_ids) do
+ json_response.collect { |discussion| discussion["notes"] }.flatten
+ .collect { |note| note["id"].to_i }
+ end
+
+ before do
+ project.add_guest(user)
+ end
+
+ it 'does not display notes w/type listed in TYPES_RESTRICTED_BY_ACCESS_LEVEL' do
+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
+
+ expect(json_response.length).to eq(2)
+ expect(json_response_note_ids).not_to include(branch_note.id)
+ end
+ end
+ end
end
end
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -246,6 +246,70 @@
end
end
+ describe "#visible_for?" do
+ using RSpec::Parameterized::TableSyntax
+
+ let(:note) { create(:note) }
+ let(:user) { create(:user) }
+
+ where(:cross_reference_visible, :system_note_viewable, :result) do
+ true | true | false
+ false | true | true
+ false | false | false
+ end
+
+ with_them do
+ it "returns expected result" do
+ expect(note).to receive(:cross_reference_not_visible_for?).and_return(cross_reference_visible)
+
+ unless cross_reference_visible
+ expect(note).to receive(:system_note_viewable_by?)
+ .with(user).and_return(system_note_viewable)
+ end
+
+ expect(note.visible_for?(user)).to eq result
+ end
+ end
+ end
+
+ describe "#system_note_viewable_by?(user)" do
+ let(:note) { create(:note) }
+ let(:user) { create(:user) }
+ let!(:metadata) { create(:system_note_metadata, note: note, action: "branch") }
+
+ context "when system_note_metadata is not present" do
+ it "returns true" do
+ expect(note).to receive(:system_note_metadata).and_return(nil)
+
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+
+ context "system_note_metadata isn't of type 'branch'" do
+ before do
+ metadata.action = "not_a_branch"
+ end
+
+ it "returns true" do
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+
+ context "user doesn't have :download_code ability" do
+ it "returns false" do
+ expect(note.send(:system_note_viewable_by?, user)).to be_falsey
+ end
+ end
+
+ context "user has the :download_code ability" do
+ it "returns true" do
+ expect(Ability).to receive(:allowed?).with(user, :download_code, note.project).and_return(true)
+
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+ end
+
describe "cross_reference_not_visible_for?" do
let(:private_user) { create(:user) }
let(:private_project) { create(:project, namespace: private_user.namespace) { |p| p.add_maintainer(private_user) } }

View file

@ -10,7 +10,6 @@
0470-relax-bootsnap.patch
0480-embed-snowplow-tracker.patch
0481-relax-contracts-dependency-of-snowplow.patch
0482-relax-gitlab-labkit.patch
0500-set-webpack-root.patch
0510-remove-dev-dependencies.patch
0520-add-system-lib-path-for-webpack.patch
@ -28,5 +27,3 @@
0750-fix-relative-paths.patch
0760-bump-rubyzip.patch
0770-bump-node-d3.patch
CVE-2019-19254.patch
CVE-2019-19257.patch