Merge branch 'security-rd-do-not-show-internal-info-in-public-feed' into 'master'
[master] Don't show internal info in public feed See merge request gitlab/gitlabhq!2395
This commit is contained in:
commit
c7d8096983
|
@ -56,7 +56,7 @@ class UserRecentEventsFinder
|
|||
|
||||
visible = target_user
|
||||
.project_interactions
|
||||
.where(visibility_level: [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC])
|
||||
.where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user))
|
||||
.select(:id)
|
||||
|
||||
Gitlab::SQL::Union.new([authorized, visible]).to_sql
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Don't show events from internal projects for anonymous users in public feed
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -1,31 +1,50 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe UserRecentEventsFinder do
|
||||
let(:user) { create(:user) }
|
||||
let(:project) { create(:project) }
|
||||
let(:project_owner) { project.creator }
|
||||
let!(:event) { create(:event, project: project, author: project_owner) }
|
||||
let(:current_user) { create(:user) }
|
||||
let(:project_owner) { create(:user) }
|
||||
let(:private_project) { create(:project, :private, creator: project_owner) }
|
||||
let(:internal_project) { create(:project, :internal, creator: project_owner) }
|
||||
let(:public_project) { create(:project, :public, creator: project_owner) }
|
||||
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
|
||||
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
|
||||
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
|
||||
|
||||
subject(:finder) { described_class.new(user, project_owner) }
|
||||
subject(:finder) { described_class.new(current_user, project_owner) }
|
||||
|
||||
describe '#execute' do
|
||||
it 'does not include the event when a user does not have access to the project' do
|
||||
expect(finder.execute).to be_empty
|
||||
context 'current user does not have access to projects' do
|
||||
it 'returns public and internal events' do
|
||||
records = finder.execute
|
||||
|
||||
expect(records).to include(public_event, internal_event)
|
||||
expect(records).not_to include(private_event)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the user has access to a project' do
|
||||
context 'when current user has access to the projects' do
|
||||
before do
|
||||
project.add_developer(user)
|
||||
private_project.add_developer(current_user)
|
||||
internal_project.add_developer(current_user)
|
||||
public_project.add_developer(current_user)
|
||||
end
|
||||
|
||||
it 'includes the event' do
|
||||
expect(finder.execute).to include(event)
|
||||
it 'returns all the events' do
|
||||
expect(finder.execute).to include(private_event, internal_event, public_event)
|
||||
end
|
||||
|
||||
it 'does not include the event if the user cannot read cross project' do
|
||||
expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
|
||||
it 'does not include the events if the user cannot read cross project' do
|
||||
expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
|
||||
expect(finder.execute).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context 'when current user is anonymous' do
|
||||
let(:current_user) { nil }
|
||||
|
||||
it 'returns public events only' do
|
||||
expect(finder.execute).to eq([public_event])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue