diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-06-15 00:29:29 +0300 |
|---|---|---|
| committer | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-06-15 01:03:17 +0300 |
| commit | ea13df6dd933a0b43fa648ca26781ca9ad5a0c2b (patch) | |
| tree | 59818c856407d528543c3a9d5ec2f91569c3e21f | |
| parent | 778185a81aaf1596f1e6e118c434487e40aad2d6 (diff) | |
Merge branch '18535-confidential-issue-notes' into 'master'
Only show notes through JSON on confidential issues that the user has access to
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18535
See merge request !1970
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/finders/notes_finder.rb | 2 | ||||
| -rw-r--r-- | spec/finders/notes_finder_spec.rb | 16 |
3 files changed, 18 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index 68884efb50f..06b1afe673a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -9,6 +9,7 @@ v 8.8.5 - Fix incremental trace upload API when using multi-byte UTF-8 chars in trace !4541 - Prevent unauthorized access for projects build traces - Forbid scripting for wiki files + - Only show notes through JSON on confidential issues that the user has access to v 8.8.4 - Fix LDAP-based login for users with 2FA enabled. !4493 diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb index c41be333537..fec8d8e7832 100644 --- a/app/finders/notes_finder.rb +++ b/app/finders/notes_finder.rb @@ -12,7 +12,7 @@ class NotesFinder when "commit" project.notes.for_commit_id(target_id).non_diff_notes when "issue" - project.issues.find(target_id).notes.nonawards.inc_author + project.issues.visible_to_user(current_user).find(target_id).notes.inc_author when "merge_request" project.merge_requests.find(target_id).mr_and_commit_notes.nonawards.inc_author when "snippet", "project_snippet" diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb index c83824b900d..639b28d49ee 100644 --- a/spec/finders/notes_finder_spec.rb +++ b/spec/finders/notes_finder_spec.rb @@ -34,5 +34,21 @@ describe NotesFinder do notes = NotesFinder.new.execute(project, user, params) expect(notes).to eq([note1]) end + + context 'confidential issue notes' do + let(:confidential_issue) { create(:issue, :confidential, project: project, author: user) } + let!(:confidential_note) { create(:note, noteable: confidential_issue, project: confidential_issue.project) } + + let(:params) { { target_id: confidential_issue.id, target_type: 'issue', last_fetched_at: 1.hour.ago.to_i } } + + it 'returns notes if user can see the issue' do + expect(NotesFinder.new.execute(project, user, params)).to eq([confidential_note]) + end + + it 'raises an error if user can not see the issue' do + user = create(:user) + expect { NotesFinder.new.execute(project, user, params) }.to raise_error(ActiveRecord::RecordNotFound) + end + end end end |