Prevent private project name and namespace from leaking in the new MR view
Fixes #15591. Signed-off-by: Rémy Coutable <remy@rymai.me>
This commit is contained in:
parent
b79c5c40e1
commit
cd0750e045
2 changed files with 13 additions and 0 deletions
|
@ -7,6 +7,9 @@ module MergeRequests
|
|||
merge_request.can_be_created = false
|
||||
merge_request.compare_commits = []
|
||||
merge_request.source_project = project unless merge_request.source_project
|
||||
|
||||
merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
|
||||
|
||||
merge_request.target_project ||= (project.forked_from_project || project)
|
||||
merge_request.target_branch ||= merge_request.target_project.default_branch
|
||||
|
||||
|
|
|
@ -30,4 +30,14 @@ feature 'Create New Merge Request', feature: true, js: true do
|
|||
|
||||
expect(page).to have_content 'git checkout -b orphaned-branch origin/orphaned-branch'
|
||||
end
|
||||
|
||||
context 'when target project cannot be viewed by the current user' do
|
||||
it 'does not leak the private project name & namespace' do
|
||||
private_project = create(:project, :private)
|
||||
|
||||
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
|
||||
|
||||
expect(page).not_to have_content private_project.to_reference
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue