Hide disabled project milestones in project settings on group level
This commit is contained in:
parent
48bb855ece
commit
58290d90e5
|
@ -3,14 +3,13 @@
|
|||
class Groups::MilestonesController < Groups::ApplicationController
|
||||
include MilestoneActions
|
||||
|
||||
before_action :group_projects
|
||||
before_action :milestone, only: [:edit, :show, :update, :merge_requests, :participants, :labels, :destroy]
|
||||
before_action :authorize_admin_milestones!, only: [:edit, :new, :create, :update, :destroy]
|
||||
|
||||
def index
|
||||
respond_to do |format|
|
||||
format.html do
|
||||
@milestone_states = Milestone.states_count(group_projects, [group])
|
||||
@milestone_states = Milestone.states_count(group_projects_with_access, [group])
|
||||
@milestones = Kaminari.paginate_array(milestones).page(params[:page])
|
||||
end
|
||||
format.json do
|
||||
|
@ -100,13 +99,18 @@ class Groups::MilestonesController < Groups::ApplicationController
|
|||
end
|
||||
|
||||
def legacy_milestones
|
||||
GroupMilestone.build_collection(group, group_projects, params)
|
||||
GroupMilestone.build_collection(group, group_projects_with_access, params)
|
||||
end
|
||||
|
||||
def group_projects_with_access
|
||||
group_projects.with_issues_available_for_user(current_user)
|
||||
.or(group_projects.with_merge_requests_available_for_user(current_user))
|
||||
end
|
||||
|
||||
def milestone
|
||||
@milestone =
|
||||
if params[:title]
|
||||
GroupMilestone.build(group, group_projects, params[:title])
|
||||
GroupMilestone.build(group, group_projects_with_access, params[:title])
|
||||
else
|
||||
group.milestones.find_by_iid(params[:id])
|
||||
end
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
title: Do not disclose project milestones on group milestones page when project milestones
|
||||
access is disabled in project settings
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -3,8 +3,8 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe Groups::MilestonesController do
|
||||
let(:group) { create(:group) }
|
||||
let!(:project) { create(:project, group: group) }
|
||||
let(:group) { create(:group, :public) }
|
||||
let!(:project) { create(:project, :public, group: group) }
|
||||
let!(:project2) { create(:project, group: group) }
|
||||
let(:user) { create(:user) }
|
||||
let(:title) { '肯定不是中文的问题' }
|
||||
|
@ -63,6 +63,73 @@ describe Groups::MilestonesController do
|
|||
expect(response.body).to include(group_milestone.title)
|
||||
expect(response.body).not_to include(milestone.title)
|
||||
end
|
||||
|
||||
context 'when anonymous user' do
|
||||
before do
|
||||
sign_out(user)
|
||||
end
|
||||
|
||||
it 'shows group milestones page' do
|
||||
milestone
|
||||
|
||||
get :index, params: { group_id: group.to_param }
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response.body).to include(milestone.title)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when issues and merge requests are disabled in public project' do
|
||||
shared_examples 'milestone not accessible' do
|
||||
it 'does not return milestone' do
|
||||
get :index, params: { group_id: public_group.to_param }
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response.body).not_to include(private_milestone.title)
|
||||
end
|
||||
end
|
||||
|
||||
let!(:public_group) { create(:group, :public) }
|
||||
|
||||
let!(:public_project_with_private_issues_and_mrs) do
|
||||
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
|
||||
end
|
||||
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
|
||||
|
||||
context 'when anonymous user' do
|
||||
before do
|
||||
sign_out(user)
|
||||
end
|
||||
|
||||
it_behaves_like 'milestone not accessible'
|
||||
end
|
||||
|
||||
context 'when non project or group member user' do
|
||||
let(:non_member) { create(:user) }
|
||||
|
||||
before do
|
||||
sign_in(non_member)
|
||||
end
|
||||
|
||||
it_behaves_like 'milestone not accessible'
|
||||
end
|
||||
|
||||
context 'when group member user' do
|
||||
let(:member) { create(:user) }
|
||||
|
||||
before do
|
||||
sign_in(member)
|
||||
public_group.add_guest(member)
|
||||
end
|
||||
|
||||
it 'returns the milestone' do
|
||||
get :index, params: { group_id: public_group.to_param }
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response.body).to include(private_milestone.title)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'as JSON' do
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe Groups::MilestonesController do
|
||||
context 'N+1 DB queries' do
|
||||
let(:user) { create(:user) }
|
||||
let!(:public_group) { create(:group, :public) }
|
||||
|
||||
let!(:public_project_with_private_issues_and_mrs) do
|
||||
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
|
||||
end
|
||||
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
|
||||
|
||||
it 'avoids N+1 database queries' do
|
||||
public_project = create(:project, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
|
||||
create(:milestone, project: public_project)
|
||||
|
||||
control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) { get "/groups/#{public_group.to_param}/-/milestones.json" }.count
|
||||
|
||||
projects = create_list(:project, 2, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
|
||||
projects.each do |project|
|
||||
create(:milestone, project: project)
|
||||
end
|
||||
|
||||
expect { get "/groups/#{public_group.to_param}/-/milestones.json" }.not_to exceed_all_query_limit(control_count)
|
||||
expect(response).to have_http_status(200)
|
||||
milestones = json_response
|
||||
|
||||
expect(milestones.count).to eq(3)
|
||||
expect(milestones.map {|x| x['title']}).not_to include(private_milestone.title)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue