diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:30 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:30 +0300 |
commit | d21a6a45882f873db7aeab736d6bd30c362fde4a (patch) | |
tree | 4c3647221512cc5e8c69f78289faa2f7fee8db21 /spec/controllers | |
parent | 383490a31376eb1bc6eb0617a454d1721c9280a1 (diff) | |
parent | 7e83acb8a2f7fe4a0c0acd6769114e0593c677bb (diff) |
Merge branch 'security-issue_54789_2' into 'master'
[master] Prevent disclosing project milestone titles
Closes #2794
See merge request gitlab/gitlabhq!2965
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/projects/autocomplete_sources_controller_spec.rb | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/spec/controllers/projects/autocomplete_sources_controller_spec.rb b/spec/controllers/projects/autocomplete_sources_controller_spec.rb index 4bc72042710..a9a058e7e17 100644 --- a/spec/controllers/projects/autocomplete_sources_controller_spec.rb +++ b/spec/controllers/projects/autocomplete_sources_controller_spec.rb @@ -35,4 +35,35 @@ describe Projects::AutocompleteSourcesController do avatar_url: user.avatar_url) end end + + describe 'GET milestones' do + let(:group) { create(:group, :public) } + let(:project) { create(:project, :public, namespace: group) } + let!(:project_milestone) { create(:milestone, project: project) } + let!(:group_milestone) { create(:milestone, group: group) } + + before do + sign_in(user) + end + + it 'lists milestones' do + group.add_owner(user) + + get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path } + + milestone_titles = json_response.map { |milestone| milestone["title"] } + expect(milestone_titles).to match_array([project_milestone.title, group_milestone.title]) + end + + context 'when user cannot read project issues and merge requests' do + it 'renders 404' do + project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) + project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE) + + get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path } + + expect(response).to have_gitlab_http_status(404) + end + end + end end |