Restrict access to confidential issues on activity feed
This commit is contained in:
parent
7d403ec46f
commit
9222459ea3
|
@ -194,7 +194,7 @@ module EventsHelper
|
|||
end
|
||||
|
||||
def event_to_atom(xml, event)
|
||||
if event.proper?
|
||||
if event.proper?(current_user)
|
||||
xml.entry do
|
||||
event_link = event_feed_url(event)
|
||||
event_title = event_feed_title(event)
|
||||
|
|
|
@ -73,15 +73,17 @@ class Event < ActiveRecord::Base
|
|||
end
|
||||
end
|
||||
|
||||
def proper?
|
||||
def proper?(user = nil)
|
||||
if push?
|
||||
true
|
||||
elsif membership_changed?
|
||||
true
|
||||
elsif created_project?
|
||||
true
|
||||
elsif issue?
|
||||
Ability.abilities.allowed?(user, :read_issue, issue)
|
||||
else
|
||||
((issue? || merge_request? || note?) && target) || milestone?
|
||||
((merge_request? || note?) && target) || milestone?
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- if event.proper?
|
||||
- if event.proper?(current_user)
|
||||
.event-item{class: "#{event.body? ? "event-block" : "event-inline" }"}
|
||||
.event-item-timestamp
|
||||
#{time_ago_with_tooltip(event.created_at)}
|
||||
|
|
|
@ -35,7 +35,7 @@ class Spinach::Features::Groups < Spinach::FeatureSteps
|
|||
end
|
||||
|
||||
step 'I should see projects activity feed' do
|
||||
expect(page).to have_content 'closed issue'
|
||||
expect(page).to have_content 'joined project'
|
||||
end
|
||||
|
||||
step 'I should see issues from group "Owned" assigned to me' do
|
||||
|
|
|
@ -65,6 +65,42 @@ describe Event, models: true do
|
|||
it { expect(@event.author).to eq(@user) }
|
||||
end
|
||||
|
||||
describe '#proper?' do
|
||||
context 'issue event' do
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
let(:non_member) { create(:user) }
|
||||
let(:member) { create(:user) }
|
||||
let(:author) { create(:author) }
|
||||
let(:assignee) { create(:user) }
|
||||
let(:admin) { create(:admin) }
|
||||
let(:event) { Event.new(project: project, action: Event::CREATED, target: issue, author_id: author.id) }
|
||||
|
||||
before do
|
||||
project.team << [member, :developer]
|
||||
end
|
||||
|
||||
context 'for non confidential issues' do
|
||||
let(:issue) { create(:issue, project: project, author: author, assignee: assignee) }
|
||||
|
||||
it { expect(event.proper?(non_member)).to eq true }
|
||||
it { expect(event.proper?(author)).to eq true }
|
||||
it { expect(event.proper?(assignee)).to eq true }
|
||||
it { expect(event.proper?(member)).to eq true }
|
||||
it { expect(event.proper?(admin)).to eq true }
|
||||
end
|
||||
|
||||
context 'for confidential issues' do
|
||||
let(:issue) { create(:issue, :confidential, project: project, author: author, assignee: assignee) }
|
||||
|
||||
it { expect(event.proper?(non_member)).to eq false }
|
||||
it { expect(event.proper?(author)).to eq true }
|
||||
it { expect(event.proper?(assignee)).to eq true }
|
||||
it { expect(event.proper?(member)).to eq true }
|
||||
it { expect(event.proper?(admin)).to eq true }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '.limit_recent' do
|
||||
let!(:event1) { create(:closed_issue_event) }
|
||||
let!(:event2) { create(:closed_issue_event) }
|
||||
|
|
Loading…
Reference in New Issue