Fix confidential issue label disclosure on milestone view
Add changelog entry Method should be public Use milestonish method Use render data to filter labels Add specs for label visibility on milestone
This commit is contained in:
parent
b02fca9684
commit
b6424b378d
|
@ -26,16 +26,22 @@ module MilestoneActions
|
|||
end
|
||||
end
|
||||
|
||||
# rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||
def labels
|
||||
respond_to do |format|
|
||||
format.html { redirect_to milestone_redirect_path }
|
||||
format.json do
|
||||
milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
|
||||
|
||||
render json: tabs_json("shared/milestones/_labels_tab", {
|
||||
labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables
|
||||
labels: milestone_labels.map do |label|
|
||||
label.present(issuable_subject: @milestone.parent)
|
||||
end
|
||||
})
|
||||
end
|
||||
end
|
||||
end
|
||||
# rubocop:enable Gitlab/ModuleWithInstanceVariables
|
||||
|
||||
private
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Fix confidential issue label disclosure on milestone view
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -175,6 +175,40 @@ describe Projects::MilestonesController do
|
|||
end
|
||||
end
|
||||
|
||||
describe '#labels' do
|
||||
render_views
|
||||
|
||||
context 'as json' do
|
||||
let!(:guest) { create(:user, username: 'guest1') }
|
||||
let!(:group) { create(:group, :public) }
|
||||
let!(:project) { create(:project, :public, group: group) }
|
||||
let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
|
||||
let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
|
||||
|
||||
it 'does not render labels of private issues if user has no access' do
|
||||
sign_in(guest)
|
||||
|
||||
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response.content_type).to eq 'application/json'
|
||||
|
||||
expect(json_response['html']).not_to include(label.title)
|
||||
end
|
||||
|
||||
it 'does render labels of private issues if user has access' do
|
||||
sign_in(user)
|
||||
|
||||
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response.content_type).to eq 'application/json'
|
||||
|
||||
expect(json_response['html']).to include(label.title)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'promotion succeeds' do
|
||||
before do
|
||||
group.add_developer(user)
|
||||
|
|
Loading…
Reference in New Issue