Ensure the API doesn't return notes that the current user shouldn't see
This commit is contained in:
parent
1f0b8c32e7
commit
0c10aee596
|
@ -20,7 +20,19 @@ module API
|
|||
# GET /projects/:id/snippets/:noteable_id/notes
|
||||
get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
|
||||
@noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
|
||||
present paginate(@noteable.notes), with: Entities::Note
|
||||
|
||||
# We exclude notes that are cross-references and that cannot be viewed
|
||||
# by the current user. By doing this exclusion at this level and not
|
||||
# at the DB query level (which we cannot in that case), the current
|
||||
# page can have less elements than :per_page even if
|
||||
# there's more than one page.
|
||||
notes =
|
||||
# paginate() only works with a relation. This could lead to a
|
||||
# mismatch between the pagination headers info and the actual notes
|
||||
# array returned, but this is really a edge-case.
|
||||
paginate(@noteable.notes).
|
||||
reject { |n| n.cross_reference_not_visible_for?(current_user) }
|
||||
present notes, with: Entities::Note
|
||||
end
|
||||
|
||||
# Get a single +noteable+ note
|
||||
|
@ -35,8 +47,13 @@ module API
|
|||
get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do
|
||||
@noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
|
||||
@note = @noteable.notes.find(params[:note_id])
|
||||
|
||||
if @note.cross_reference_not_visible_for?(current_user)
|
||||
not_found!("Note")
|
||||
else
|
||||
present @note, with: Entities::Note
|
||||
end
|
||||
end
|
||||
|
||||
# Create a new +noteable+ note
|
||||
#
|
||||
|
|
|
@ -10,6 +10,24 @@ describe API::API, api: true do
|
|||
let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) }
|
||||
let!(:merge_request_note) { create(:note, noteable: merge_request, project: project, author: user) }
|
||||
let!(:snippet_note) { create(:note, noteable: snippet, project: project, author: user) }
|
||||
|
||||
# For testing the cross-reference of a private issue in a public issue
|
||||
let(:private_user) { create(:user) }
|
||||
let(:private_project) {
|
||||
create(:project, namespace: private_user.namespace).
|
||||
tap { |p| p.team << [private_user, :master] }
|
||||
}
|
||||
let(:private_issue) { create(:issue, project: private_project) }
|
||||
let(:ext_proj) { create(:project, :public) }
|
||||
let(:ext_issue) { create(:issue, project: ext_proj) }
|
||||
|
||||
let!(:cross_reference_note) {
|
||||
create :note,
|
||||
noteable: ext_issue, project: ext_proj,
|
||||
note: "mentioned in issue #{private_issue.to_reference(ext_proj)}",
|
||||
system: true
|
||||
}
|
||||
|
||||
before { project.team << [user, :reporter] }
|
||||
|
||||
describe "GET /projects/:id/noteable/:noteable_id/notes" do
|
||||
|
@ -25,6 +43,24 @@ describe API::API, api: true do
|
|||
get api("/projects/#{project.id}/issues/123/notes", user)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
context "that references a private issue" do
|
||||
it "should return an empty array" do
|
||||
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user)
|
||||
expect(response.status).to eq(200)
|
||||
expect(json_response).to be_an Array
|
||||
expect(json_response).to be_empty
|
||||
end
|
||||
|
||||
context "and current user can view the note" do
|
||||
it "should return an empty array" do
|
||||
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", private_user)
|
||||
expect(response.status).to eq(200)
|
||||
expect(json_response).to be_an Array
|
||||
expect(json_response.first['body']).to eq(cross_reference_note.note)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "when noteable is a Snippet" do
|
||||
|
@ -68,6 +104,21 @@ describe API::API, api: true do
|
|||
get api("/projects/#{project.id}/issues/#{issue.id}/notes/123", user)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
context "that references a private issue" do
|
||||
it "should return a 404 error" do
|
||||
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", user)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
context "and current user can view the note" do
|
||||
it "should return an issue note by id" do
|
||||
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", private_user)
|
||||
expect(response.status).to eq(200)
|
||||
expect(json_response['body']).to eq(cross_reference_note.note)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "when noteable is a Snippet" do
|
||||
|
|
Loading…
Reference in New Issue