Add changelog and updated spec

Ensure that references to private projects are not visible
2019-02-19 12:13:22 +01:00 · 2019-02-19 12:13:22 +01:00 · 3dca5b3076
parent 6e4fdc117c
commit 3dca5b3076
2 changed files with 14 additions and 0 deletions
--- a/changelogs/unreleased/55376-related_merge_requests-api-call-returns-merge-requests-that-are-not-related-to-the-issue.yml
+++ b/changelogs/unreleased/55376-related_merge_requests-api-call-returns-merge-requests-that-are-not-related-to-the-issue.yml
@ -0,0 +1,5 @@
+---
+title: 'API: Ensure that related merge requests are referenced cross-project'
+merge_request: 25222
+author: Robert Schilling
+type: fixed
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@ -1838,6 +1838,15 @@ describe API::Issues do
      expect_paginated_array_response([related_mr.id, merge_request.id])
    end

+    it 'does not generate references to projects with no access' do
+      private_project = create(:project, :private)
+      create_referencing_mr(private_project.creator, private_project, issue)
+
+      get_related_merge_requests(project.id, issue.iid, user)
+
+      expect_paginated_array_response(related_mr.id)
+    end
+
    context 'no merge request mentioned a issue' do
      it 'returns empty array' do
        get_related_merge_requests(project.id, closed_issue.iid, user)