Merge branch '29364-private-projects-mr-fix'
Don’t show source project name when user does not have access See merge request !2081
This commit is contained in:
parent
2e8aa209f0
commit
29d8b4ee72
|
@ -21,7 +21,9 @@ module MergeRequests
|
|||
delegate :target_branch, :source_branch, :source_project, :target_project, :compare_commits, :wip_title, :description, :errors, to: :merge_request
|
||||
|
||||
def find_source_project
|
||||
source_project || project
|
||||
return source_project if source_project.present? && can?(current_user, :read_project, source_project)
|
||||
|
||||
project
|
||||
end
|
||||
|
||||
def find_target_project
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Don’t show source project name when user does not have access
|
||||
merge_request:
|
||||
author:
|
|
@ -70,6 +70,18 @@ feature 'Create New Merge Request', feature: true, js: true do
|
|||
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
|
||||
|
||||
expect(page).not_to have_content private_project.path_with_namespace
|
||||
expect(page).to have_content project.path_with_namespace
|
||||
end
|
||||
end
|
||||
|
||||
context 'when source project cannot be viewed by the current user' do
|
||||
it 'does not leak the private project name & namespace' do
|
||||
private_project = create(:project, :private)
|
||||
|
||||
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { source_project_id: private_project.id })
|
||||
|
||||
expect(page).not_to have_content private_project.path_with_namespace
|
||||
expect(page).to have_content project.path_with_namespace
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -4,6 +4,8 @@ describe MergeRequests::BuildService, services: true do
|
|||
include RepoHelpers
|
||||
|
||||
let(:project) { create(:project, :repository) }
|
||||
let(:source_project) { nil }
|
||||
let(:target_project) { nil }
|
||||
let(:user) { create(:user) }
|
||||
let(:issue_confidential) { false }
|
||||
let(:issue) { create(:issue, project: project, title: 'A bug', confidential: issue_confidential) }
|
||||
|
@ -20,7 +22,9 @@ describe MergeRequests::BuildService, services: true do
|
|||
MergeRequests::BuildService.new(project, user,
|
||||
description: description,
|
||||
source_branch: source_branch,
|
||||
target_branch: target_branch)
|
||||
target_branch: target_branch,
|
||||
source_project: source_project,
|
||||
target_project: target_project)
|
||||
end
|
||||
|
||||
before do
|
||||
|
@ -256,5 +260,41 @@ describe MergeRequests::BuildService, services: true do
|
|||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'target_project is set and accessible by current_user' do
|
||||
let(:target_project) { create(:project, :public, :repository)}
|
||||
let(:commits) { Commit.decorate([commit_1], project) }
|
||||
|
||||
it 'sets target project correctly' do
|
||||
expect(merge_request.target_project).to eq(target_project)
|
||||
end
|
||||
end
|
||||
|
||||
context 'target_project is set but not accessible by current_user' do
|
||||
let(:target_project) { create(:project, :private, :repository)}
|
||||
let(:commits) { Commit.decorate([commit_1], project) }
|
||||
|
||||
it 'sets target project correctly' do
|
||||
expect(merge_request.target_project).to eq(project)
|
||||
end
|
||||
end
|
||||
|
||||
context 'source_project is set and accessible by current_user' do
|
||||
let(:source_project) { create(:project, :public, :repository)}
|
||||
let(:commits) { Commit.decorate([commit_1], project) }
|
||||
|
||||
it 'sets target project correctly' do
|
||||
expect(merge_request.source_project).to eq(source_project)
|
||||
end
|
||||
end
|
||||
|
||||
context 'source_project is set but not accessible by current_user' do
|
||||
let(:source_project) { create(:project, :private, :repository)}
|
||||
let(:commits) { Commit.decorate([commit_1], project) }
|
||||
|
||||
it 'sets target project correctly' do
|
||||
expect(merge_request.source_project).to eq(project)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue