Skip to content
Snippets Groups Projects
Select Git revision
  • ag-test
  • rs-test
  • master default protected
  • test-me-pa
  • mksionek-master-patch-52381
  • new-branch-10
  • test-conflicts
  • test-suggestions
  • alejandro-test
  • patch-25
  • winh-test-image-doscussion
  • stg-lfs-image-test-2
  • stg-lfs-image-test
  • test42016
  • issue_42016
  • issue-32709
  • add-codeowners
  • ClemMakesApps-master-patch-62759
  • bvl-staging-test
  • bvl-merge-base-api
  • v9.2.0-rc6 protected
  • v9.2.0-rc5 protected
  • v9.2.0-rc4 protected
  • v9.2.0-rc3 protected
  • v9.1.4 protected
  • v9.2.0-rc2 protected
  • v9.2.0-rc1 protected
  • v9.1.3 protected
  • v8.17.6 protected
  • v9.0.7 protected
  • v9.1.2 protected
  • v9.1.1 protected
  • v9.2.0.pre protected
  • v9.1.0 protected
  • v9.1.0-rc7 protected
  • v9.1.0-rc6 protected
  • v9.0.6 protected
  • v9.1.0-rc5 protected
  • v9.1.0-rc4 protected
  • v9.1.0-rc3 protected
40 results

services

  • Clone with SSH
  • Clone with HTTPS
    • Douwe Maan's avatar
    Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'
    Douwe Maan authored 
    Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

:warning: - Potentially untested  
:bomb: - No test coverage  
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)  
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)  
:white_check_mark: - Permissions check tested

### Issue lookup with access check

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]

### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
    3bf34fac
    History
    Douwe Maan's avatar 3bf34fac
    History
    Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    Name Last commit Last update
    ..
    auth
    boards
    chat_names
    ci
    files
    groups
    issuable
    issues
    labels
    members
    merge_requests
    milestones
    notes
    projects
    protected_branches
    search
    slash_commands
    after_branch_delete_service_spec.rb
    compare_service_spec.rb
    create_deployment_service_spec.rb
    create_release_service_spec.rb
    create_snippet_service_spec.rb
    create_tag_service_spec.rb
    delete_branch_service_spec.rb
    delete_merged_branches_service_spec.rb
    delete_tag_service_spec.rb
    delete_user_service_spec.rb
    destroy_group_service_spec.rb
    event_create_service_spec.rb
    git_hooks_service_spec.rb
    git_push_service_spec.rb
    git_tag_push_service_spec.rb
    import_export_clean_up_service_spec.rb
    notification_service_spec.rb
    repair_ldap_blocked_user_service_spec.rb
    repository_archive_clean_up_service_spec.rb
    search_service_spec.rb
    system_hooks_service_spec.rb
    system_note_service_spec.rb
    test_hook_service_spec.rb
    todo_service_spec.rb
    update_release_service_spec.rb
    update_snippet_service_spec.rb