Ensure logged-out users can't see private refs
This commit is contained in:
parent
293cf09056
commit
db0d3fc3e9
4 changed files with 42 additions and 2 deletions
|
@ -23,6 +23,9 @@ v 8.10.0 (unreleased)
|
|||
- Allow [ci skip] to be in any case and allow [skip ci]. !4785 (simon_w)
|
||||
- Add basic system information like memory and disk usage to the admin panel
|
||||
|
||||
v 8.9.4 (unreleased)
|
||||
- Ensure references to private repos aren't shown to logged-out users
|
||||
|
||||
v 8.9.3
|
||||
- Fix encrypted data backwards compatibility after upgrading attr_encrypted gem. !4963
|
||||
- Fix rendering of commit notes. !4953
|
||||
|
|
|
@ -45,7 +45,7 @@ module Mentionable
|
|||
|
||||
def all_references(current_user = nil, text = nil, extractor: nil)
|
||||
extractor ||= Gitlab::ReferenceExtractor.
|
||||
new(project, current_user || author)
|
||||
new(project, current_user)
|
||||
|
||||
if text
|
||||
extractor.analyze(text, author: author)
|
||||
|
|
|
@ -237,7 +237,7 @@ class TodoService
|
|||
end
|
||||
|
||||
def filter_mentioned_users(project, target, author)
|
||||
mentioned_users = target.mentioned_users
|
||||
mentioned_users = target.mentioned_users(author)
|
||||
mentioned_users = reject_users_without_access(mentioned_users, project, target)
|
||||
mentioned_users.delete(author)
|
||||
mentioned_users.uniq
|
||||
|
|
|
@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
|
|||
it { is_expected.not_to include(user2) }
|
||||
end
|
||||
|
||||
describe '#referenced_mentionables' do
|
||||
context 'with an issue on a private project' do
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
let(:issue) { create(:issue, project: project) }
|
||||
let(:public_issue) { create(:issue, project: project) }
|
||||
let(:private_project) { create(:empty_project, :private) }
|
||||
let(:private_issue) { create(:issue, project: private_project) }
|
||||
let(:user) { create(:user) }
|
||||
|
||||
def referenced_issues(current_user)
|
||||
text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}"
|
||||
|
||||
issue.referenced_mentionables(current_user, text)
|
||||
end
|
||||
|
||||
context 'when the current user can see the issue' do
|
||||
before { private_project.team << [user, Gitlab::Access::DEVELOPER] }
|
||||
|
||||
it 'includes the reference' do
|
||||
expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the current user cannot see the issue' do
|
||||
it 'does not include the reference' do
|
||||
expect(referenced_issues(user)).to contain_exactly(public_issue)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when there is no current user' do
|
||||
it 'does not include the reference' do
|
||||
expect(referenced_issues(nil)).to contain_exactly(public_issue)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#create_cross_references!' do
|
||||
let(:project) { create(:project) }
|
||||
let(:author) { double('author') }
|
||||
|
|
Loading…
Reference in a new issue