From 16a0303801319e722bfcdadbcdeae8550e3e5dcf Mon Sep 17 00:00:00 2001 From: Ruben Davila Date: Mon, 27 Jun 2016 13:23:19 -0500 Subject: [PATCH] Check for conflict with wiki projects when creating a new project. This fix avoids exposing the information from the wiki repository of other project. --- CHANGELOG | 1 + app/models/project.rb | 11 +++++++++++ spec/models/project_spec.rb | 21 +++++++++++++++++++++ 3 files changed, 33 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index d32c1fd8492..07998b0fb5c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -10,6 +10,7 @@ v 8.10.0 (unreleased) - Implement Subresource Integrity for CSS and JavaScript assets. This prevents malicious assets from loading in the case of a CDN compromise. - Fix changing issue state columns in milestone view - Fix user creation with stronger minimum password requirements !4054 (nathan-pmt) + - Check for conflicts with existing Project's wiki path when creating a new project. - Add API endpoint for a group issues !4520 (mahcsig) v 8.9.1 diff --git a/app/models/project.rb b/app/models/project.rb index ca3bc04e2dd..96837364423 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -163,6 +163,7 @@ class Project < ActiveRecord::Base validates :avatar, file_size: { maximum: 200.kilobytes.to_i } validate :visibility_level_allowed_by_group validate :visibility_level_allowed_as_fork + validate :check_wiki_path_conflict add_authentication_token_field :runners_token before_save :ensure_runners_token @@ -539,6 +540,16 @@ class Project < ActiveRecord::Base self.errors.add(:visibility_level, "#{level_name} is not allowed since the fork source project has lower visibility.") end + def check_wiki_path_conflict + return if path.blank? + + path_to_check = path.ends_with?('.wiki') ? path.chomp('.wiki') : "#{path}.wiki" + + if Project.where(namespace_id: namespace_id, path: path_to_check).exists? + errors.add(:name, 'has already been taken') + end + end + def to_param path end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 53c8408633c..d305cd9ff1e 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -63,6 +63,27 @@ describe Project, models: true do expect(project2).not_to be_valid expect(project2.errors[:limit_reached].first).to match(/Personal project creation is not allowed/) end + + describe 'wiki path conflict' do + context "when the new path has been used by the wiki of other Project" do + it 'should have an error on the name attribute' do + new_project = build_stubbed(:project, namespace_id: project.namespace_id, path: "#{project.path}.wiki") + + expect(new_project).not_to be_valid + expect(new_project.errors[:name].first).to eq('has already been taken') + end + end + + context "when the new wiki path has been used by the path of other Project" do + it 'should have an error on the name attribute' do + project_with_wiki_suffix = create(:project, path: 'foo.wiki') + new_project = build_stubbed(:project, namespace_id: project_with_wiki_suffix.namespace_id, path: 'foo') + + expect(new_project).not_to be_valid + expect(new_project.errors[:name].first).to eq('has already been taken') + end + end + end end describe 'default_scope' do