diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb index 58df6f66d50..1eacae06457 100644 --- a/app/controllers/groups/milestones_controller.rb +++ b/app/controllers/groups/milestones_controller.rb @@ -3,14 +3,13 @@ class Groups::MilestonesController < Groups::ApplicationController include MilestoneActions - before_action :group_projects before_action :milestone, only: [:edit, :show, :update, :merge_requests, :participants, :labels, :destroy] before_action :authorize_admin_milestones!, only: [:edit, :new, :create, :update, :destroy] def index respond_to do |format| format.html do - @milestone_states = Milestone.states_count(group_projects, [group]) + @milestone_states = Milestone.states_count(group_projects_with_access, [group]) @milestones = Kaminari.paginate_array(milestones).page(params[:page]) end format.json do @@ -100,13 +99,18 @@ class Groups::MilestonesController < Groups::ApplicationController end def legacy_milestones - GroupMilestone.build_collection(group, group_projects, params) + GroupMilestone.build_collection(group, group_projects_with_access, params) + end + + def group_projects_with_access + group_projects.with_issues_available_for_user(current_user) + .or(group_projects.with_merge_requests_available_for_user(current_user)) end def milestone @milestone = if params[:title] - GroupMilestone.build(group, group_projects, params[:title]) + GroupMilestone.build(group, group_projects_with_access, params[:title]) else group.milestones.find_by_iid(params[:id]) end diff --git a/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml b/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml new file mode 100644 index 00000000000..7625655cadd --- /dev/null +++ b/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml @@ -0,0 +1,6 @@ +--- +title: Do not disclose project milestones on group milestones page when project milestones + access is disabled in project settings +merge_request: +author: +type: security diff --git a/spec/controllers/groups/milestones_controller_spec.rb b/spec/controllers/groups/milestones_controller_spec.rb index 41927907fd1..e0a3605d50a 100644 --- a/spec/controllers/groups/milestones_controller_spec.rb +++ b/spec/controllers/groups/milestones_controller_spec.rb @@ -3,8 +3,8 @@ require 'spec_helper' describe Groups::MilestonesController do - let(:group) { create(:group) } - let!(:project) { create(:project, group: group) } + let(:group) { create(:group, :public) } + let!(:project) { create(:project, :public, group: group) } let!(:project2) { create(:project, group: group) } let(:user) { create(:user) } let(:title) { '肯定不是中文的问题' } @@ -63,6 +63,73 @@ describe Groups::MilestonesController do expect(response.body).to include(group_milestone.title) expect(response.body).not_to include(milestone.title) end + + context 'when anonymous user' do + before do + sign_out(user) + end + + it 'shows group milestones page' do + milestone + + get :index, params: { group_id: group.to_param } + + expect(response).to have_gitlab_http_status(200) + expect(response.body).to include(milestone.title) + end + end + + context 'when issues and merge requests are disabled in public project' do + shared_examples 'milestone not accessible' do + it 'does not return milestone' do + get :index, params: { group_id: public_group.to_param } + + expect(response).to have_gitlab_http_status(200) + expect(response.body).not_to include(private_milestone.title) + end + end + + let!(:public_group) { create(:group, :public) } + + let!(:public_project_with_private_issues_and_mrs) do + create(:project, :public, :issues_private, :merge_requests_private, group: public_group) + end + let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') } + + context 'when anonymous user' do + before do + sign_out(user) + end + + it_behaves_like 'milestone not accessible' + end + + context 'when non project or group member user' do + let(:non_member) { create(:user) } + + before do + sign_in(non_member) + end + + it_behaves_like 'milestone not accessible' + end + + context 'when group member user' do + let(:member) { create(:user) } + + before do + sign_in(member) + public_group.add_guest(member) + end + + it 'returns the milestone' do + get :index, params: { group_id: public_group.to_param } + + expect(response).to have_gitlab_http_status(200) + expect(response.body).to include(private_milestone.title) + end + end + end end context 'as JSON' do diff --git a/spec/requests/groups/milestones_controller_spec.rb b/spec/requests/groups/milestones_controller_spec.rb new file mode 100644 index 00000000000..af19d931284 --- /dev/null +++ b/spec/requests/groups/milestones_controller_spec.rb @@ -0,0 +1,32 @@ +require 'spec_helper' + +describe Groups::MilestonesController do + context 'N+1 DB queries' do + let(:user) { create(:user) } + let!(:public_group) { create(:group, :public) } + + let!(:public_project_with_private_issues_and_mrs) do + create(:project, :public, :issues_private, :merge_requests_private, group: public_group) + end + let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') } + + it 'avoids N+1 database queries' do + public_project = create(:project, :public, :merge_requests_enabled, :issues_enabled, group: public_group) + create(:milestone, project: public_project) + + control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) { get "/groups/#{public_group.to_param}/-/milestones.json" }.count + + projects = create_list(:project, 2, :public, :merge_requests_enabled, :issues_enabled, group: public_group) + projects.each do |project| + create(:milestone, project: project) + end + + expect { get "/groups/#{public_group.to_param}/-/milestones.json" }.not_to exceed_all_query_limit(control_count) + expect(response).to have_http_status(200) + milestones = json_response + + expect(milestones.count).to eq(3) + expect(milestones.map {|x| x['title']}).not_to include(private_milestone.title) + end + end +end