BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
1fad55a4
Commit
1fad55a4
authored
Jun 08, 2017
by
Douwe Maan
Committed by
James Edwards-Jones
Jul 19, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Merge branch '33323-fix-incorrect-project-authorizations' into 'security-9-2'
Escape the underscore char inside the LIKE operator See merge request !2117
parent
506384da
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
60 additions
and
3 deletions
+60
-3
routable.rb
app/models/concerns/routable.rb
+3
-3
33323-fix-incorrect-project-authorizations
...ogs/unreleased/33323-fix-incorrect-project-authorizations
+4
-0
routable_spec.rb
spec/models/concerns/routable_spec.rb
+23
-0
refresh_authorized_projects_service_spec.rb
...ervices/users/refresh_authorized_projects_service_spec.rb
+30
-0
No files found.
app/models/concerns/routable.rb
View file @
1fad55a4
...
...
@@ -94,7 +94,7 @@ module Routable
# Returns an ActiveRecord::Relation.
def
member_descendants
(
user_id
)
joins
(
:route
).
joins
(
"INNER JOIN routes r2 ON routes.path LIKE CONCAT(
r2.path
, '/%')
joins
(
"INNER JOIN routes r2 ON routes.path LIKE CONCAT(
REPLACE(r2.path, '_', '
\\
_')
, '/%')
INNER JOIN members ON members.source_id = r2.source_id
AND members.source_type = r2.source_type"
).
where
(
'members.user_id = ?'
,
user_id
)
...
...
@@ -111,7 +111,7 @@ module Routable
# Returns an ActiveRecord::Relation.
def
member_self_and_descendants
(
user_id
)
joins
(
:route
).
joins
(
"INNER JOIN routes r2 ON routes.path LIKE CONCAT(
r2.path
, '/%')
joins
(
"INNER JOIN routes r2 ON routes.path LIKE CONCAT(
REPLACE(r2.path, '_', '
\\
_')
, '/%')
OR routes.path = r2.path
INNER JOIN members ON members.source_id = r2.source_id
AND members.source_type = r2.source_type"
).
...
...
@@ -162,7 +162,7 @@ module Routable
wheres
=
paths
.
map
do
|
path
|
"
#{
connection
.
quote
(
path
)
}
= routes.path
OR
#{
connection
.
quote
(
path
)
}
LIKE CONCAT(
routes.path
, '/%')"
#{
connection
.
quote
(
path
)
}
LIKE CONCAT(
REPLACE(routes.path, '_', '
\\
_')
, '/%')"
end
joins
(
:route
).
where
(
wheres
.
join
(
' OR '
))
...
...
changelogs/unreleased/33323-fix-incorrect-project-authorizations
0 → 100644
View file @
1fad55a4
---
title: Fix incorrect project authorizations
merge_request:
author:
spec/models/concerns/routable_spec.rb
View file @
1fad55a4
...
...
@@ -133,6 +133,29 @@ describe Group, 'Routable' do
subject
{
described_class
.
member_self_and_descendants
(
user
.
id
)
}
it
{
is_expected
.
to
match_array
[
group
,
nested_group
]
}
context
'when the group has special chars in its path'
do
let
(
:user1
)
{
create
(
:user
)
}
let
(
:group1
)
{
create
(
:group
,
name:
'demo'
,
path:
'demo'
)
}
let
(
:nested_group1
)
{
create
(
:group
,
name:
'nest'
,
path:
'nest'
,
parent:
group1
)
}
let!
(
:project1
)
{
create
(
:empty_project
,
group:
nested_group1
)
}
let
(
:user2
)
{
create
(
:user
)
}
let
(
:group2
)
{
create
(
:group
,
name:
'____'
,
path:
'____'
)
}
let
(
:nested_group2
)
{
create
(
:group
,
name:
'test'
,
path:
'test'
,
parent:
group2
)
}
let!
(
:project2
)
{
create
(
:empty_project
,
group:
nested_group2
)
}
before
do
group1
.
add_master
(
user1
)
group2
.
add_master
(
user2
)
end
it
'only returns the right groups'
do
groups
=
described_class
.
member_self_and_descendants
(
user2
.
id
)
expect
(
groups
).
to
match_array
([
group2
,
nested_group2
])
end
end
end
describe
'.member_hierarchy'
do
...
...
spec/services/users/refresh_authorized_projects_service_spec.rb
View file @
1fad55a4
...
...
@@ -115,6 +115,36 @@ describe Users::RefreshAuthorizedProjectsService do
expect
(
user
.
authorized_projects_populated
).
to
eq
(
true
)
end
context
'when the group has special chars in its path'
do
let
(
:user1
)
{
create
(
:user
)
}
let
(
:group1
)
{
create
(
:group
,
name:
'demo'
,
path:
'demo'
)
}
let
(
:nested_group1
)
{
create
(
:group
,
name:
'nest'
,
path:
'nest'
,
parent:
group1
)
}
let!
(
:project1
)
{
create
(
:empty_project
,
group:
nested_group1
)
}
let
(
:user2
)
{
create
(
:user
)
}
let
(
:group2
)
{
create
(
:group
,
name:
'____'
,
path:
'____'
)
}
let
(
:nested_group2
)
{
create
(
:group
,
name:
'test'
,
path:
'test'
,
parent:
group2
)
}
let!
(
:project2
)
{
create
(
:empty_project
,
group:
nested_group2
)
}
before
do
group1
.
add_master
(
user1
)
group2
.
add_master
(
user2
)
described_class
.
new
(
user1
).
execute
described_class
.
new
(
user2
).
execute
end
it
"it doesn't give authorization to foreign projects"
do
expect
(
user1
.
authorized_projects
).
not_to
include
(
project2
)
expect
(
user2
.
authorized_projects
).
not_to
include
(
project1
)
end
it
'only gives authorization to the right projects'
do
expect
(
user1
.
authorized_projects
).
to
match_array
([
project1
])
expect
(
user2
.
authorized_projects
).
to
match_array
([
project2
])
end
end
end
describe
'#fresh_access_levels_per_project'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
