redactor.rb 3.67 KB
Newer Older
1 2
# frozen_string_literal: true

3 4 5 6
module Banzai
  # Class for removing Markdown references a certain user is not allowed to
  # view.
  class Redactor
7
    attr_reader :context
8

9 10 11 12 13 14 15
    # context - An instance of `Banzai::RenderContext`.
    def initialize(context)
      @context = context
    end

    def user
      context.current_user
16 17 18 19 20 21 22 23 24 25
    end

    # Redacts the references in the given Array of documents.
    #
    # This method modifies the given documents in-place.
    #
    # documents - A list of HTML documents containing references to redact.
    #
    # Returns the documents passed as the first argument.
    def redact(documents)
26
      redact_cross_project_references(documents) unless can_read_cross_project?
27

28
      all_document_nodes = document_nodes(documents)
29
      redact_document_nodes(all_document_nodes)
30 31
    end

32
    # Redacts the given node documents
33
    #
34 35 36 37 38
    # data - An Array of a Hashes mapping an HTML document to nodes to redact.
    def redact_document_nodes(all_document_nodes)
      all_nodes = all_document_nodes.map { |x| x[:nodes] }.flatten
      visible = nodes_visible_to_user(all_nodes)
      metadata = []
39

40 41
      all_document_nodes.each do |entry|
        nodes_for_document = entry[:nodes]
42 43 44 45 46 47 48

        doc_data = {
          document:                entry[:document],
          total_reference_count:   nodes_for_document.count,
          visible_reference_count: nodes_for_document.count
        }

49 50 51 52 53 54
        metadata << doc_data

        nodes_for_document.each do |node|
          next if visible.include?(node)

          doc_data[:visible_reference_count] -= 1
55 56
          redacted_content = redacted_node_content(node)
          node.replace(redacted_content)
57 58
        end
      end
59 60

      metadata
61 62
    end

63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
    # Return redacted content of given node as either the original link (<a> tag),
    # the original content (text), or the inner HTML of the node.
    #
    def redacted_node_content(node)
      original_content = node.attr('data-original')
      link_reference = node.attr('data-link-reference')

      # Build the raw <a> tag just with a link as href and content if
      # it's originally a link pattern. We shouldn't return a plain text href.
      original_link =
        if link_reference == 'true' && href = original_content
          %(<a href="#{href}">#{href}</a>)
        end

      # The reference should be replaced by the original link's content,
      # which is not always the same as the rendered one.
      original_link || original_content || node.inner_html
    end

82
    def redact_cross_project_references(documents)
83
      extractor = Banzai::IssuableExtractor.new(context)
84 85 86
      issuables = extractor.extract(documents)

      issuables.each do |node, issuable|
87
        next if issuable.project == context.project_for_node(node)
88 89 90 91 92 93

        node['class'] = node['class'].gsub('has-tooltip', '')
        node['title'] = nil
      end
    end

94 95 96 97 98 99 100 101 102 103 104 105 106 107
    # Returns the nodes visible to the current user.
    #
    # nodes - The input nodes to check.
    #
    # Returns a new Array containing the visible nodes.
    def nodes_visible_to_user(nodes)
      per_type = Hash.new { |h, k| h[k] = [] }
      visible = Set.new

      nodes.each do |node|
        per_type[node.attr('data-reference-type')] << node
      end

      per_type.each do |type, nodes|
108
        parser = Banzai::ReferenceParser[type].new(context)
109 110 111 112 113 114

        visible.merge(parser.nodes_visible_to_user(user, nodes))
      end

      visible
    end
115 116 117 118 119 120

    def document_nodes(documents)
      documents.map do |document|
        { document: document, nodes: Querying.css(document, 'a.gfm[data-reference-type]') }
      end
    end
121 122 123 124 125 126

    private

    def can_read_cross_project?
      Ability.allowed?(user, :read_cross_project)
    end
127 128
  end
end