Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

2 files changed, 53 insertions, 16 deletions

diff --git a/spec/graphql/mutations/issues/set_confidential_spec.rb b/spec/graphql/mutations/issues/set_confidential_spec.rb
index 820f9aa5e17..0b2fc0ecb93 100644
--- a/spec/graphql/mutations/issues/set_confidential_spec.rb
+++ b/spec/graphql/mutations/issues/set_confidential_spec.rb
@@ -3,7 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Mutations::Issues::SetConfidential do
-  let(:issue) { create(:issue) }
+  let(:project) { create(:project, :private) }
+  let(:issue) { create(:issue, project: project, assignees: [user]) }
   let(:user) { create(:user) }
 
   subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
@@ -14,7 +15,7 @@ RSpec.describe Mutations::Issues::SetConfidential do
     let(:confidential) { true }
     let(:mutated_issue) { subject[:issue] }
 
-    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, confidential: confidential) }
+    subject { mutation.resolve(project_path: project.full_path, iid: issue.iid, confidential: confidential) }
 
     it 'raises an error if the resource is not accessible to the user' do
       expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
@@ -22,7 +23,7 @@ RSpec.describe Mutations::Issues::SetConfidential do
 
     context 'when the user can update the issue' do
       before do
-        issue.project.add_developer(user)
+        project.add_developer(user)
       end
 
       it 'returns the issue as confidential' do
@@ -39,5 +40,19 @@ RSpec.describe Mutations::Issues::SetConfidential do
         end
       end
     end
+
+    context 'when guest user is an assignee' do
+      let(:project) { create(:project, :public) }
+
+      before do
+        project.add_guest(user)
+      end
+
+      it 'does not change issue confidentiality' do
+        expect(mutated_issue).to eq(issue)
+        expect(mutated_issue.confidential).to be_falsey
+        expect(subject[:errors]).to be_empty
+      end
+    end
   end
 end
diff --git a/spec/graphql/mutations/merge_requests/set_milestone_spec.rb b/spec/graphql/mutations/merge_requests/set_milestone_spec.rb
index 1c0d655ee83..ccb2d9bd132 100644
--- a/spec/graphql/mutations/merge_requests/set_milestone_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_milestone_spec.rb
@@ -3,31 +3,29 @@
 require 'spec_helper'
 
 RSpec.describe Mutations::MergeRequests::SetMilestone do
-  let(:merge_request) { create(:merge_request) }
   let(:user) { create(:user) }
+  let(:project) { create(:project, :private) }
+  let(:merge_request) { create(:merge_request, source_project: project, target_project: project, assignees: [user]) }
+  let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
+  let(:milestone) { create(:milestone, project: project) }
 
-  subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
+  subject { mutation.resolve(project_path: project.full_path, iid: merge_request.iid, milestone: milestone) }
 
   specify { expect(described_class).to require_graphql_authorizations(:update_merge_request) }
 
   describe '#resolve' do
-    let(:milestone) { create(:milestone, project: merge_request.project) }
-    let(:mutated_merge_request) { subject[:merge_request] }
-
-    subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, milestone: milestone) }
-
     it 'raises an error if the resource is not accessible to the user' do
       expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
     end
 
     context 'when the user can update the merge request' do
       before do
-        merge_request.project.add_developer(user)
+        project.add_developer(user)
       end
 
       it 'returns the merge request with the milestone' do
-        expect(mutated_merge_request).to eq(merge_request)
-        expect(mutated_merge_request.milestone).to eq(milestone)
+        expect(subject[:merge_request]).to eq(merge_request)
+        expect(subject[:merge_request].milestone).to eq(milestone)
         expect(subject[:errors]).to be_empty
       end
 
@@ -43,13 +41,37 @@ RSpec.describe Mutations::MergeRequests::SetMilestone do
         let(:milestone) { nil }
 
         it 'removes the milestone' do
-          merge_request.update!(milestone: create(:milestone, project: merge_request.project))
+          merge_request.update!(milestone: create(:milestone, project: project))
 
-          expect(mutated_merge_request.milestone).to eq(nil)
+          expect(subject[:merge_request].milestone).to be_nil
         end
 
         it 'does not do anything if the MR already does not have a milestone' do
-          expect(mutated_merge_request.milestone).to eq(nil)
+          expect(subject[:merge_request].milestone).to be_nil
+        end
+      end
+    end
+
+    context 'when issue assignee is a guest' do
+      let(:project) { create(:project, :public) }
+
+      before do
+        project.add_guest(user)
+      end
+
+      it 'does not update the milestone' do
+        expect(subject[:merge_request]).to eq(merge_request)
+        expect(subject[:merge_request].milestone).to be_nil
+        expect(subject[:errors]).to be_empty
+      end
+
+      context 'when passing milestone_id as nil' do
+        let(:milestone) { nil }
+
+        it 'does not remove the milestone' do
+          merge_request.update!(milestone: create(:milestone, project: project))
+
+          expect(subject[:merge_request].milestone).not_to be_nil
         end
       end
     end