Resolve: Milestones leaked via search API

Fix milestone titles being leaked using search API
when users cannot read milestones

1 files changed, 24 insertions, 0 deletions

diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb
index 312aa3be490..3d27156b356 100644
--- a/spec/lib/gitlab/search_results_spec.rb
+++ b/spec/lib/gitlab/search_results_spec.rb
@@ -256,4 +256,28 @@ describe Gitlab::SearchResults do
 
     expect(results.objects('merge_requests')).not_to include merge_request
   end
+
+  context 'milestones' do
+    it 'returns correct set of milestones' do
+      private_project_1 = create(:project, :private)
+      private_project_2 = create(:project, :private)
+      internal_project = create(:project, :internal)
+      public_project_1 = create(:project, :public)
+      public_project_2 = create(:project, :public, :issues_disabled, :merge_requests_disabled)
+      private_project_1.add_developer(user)
+      # milestones that should not be visible
+      create(:milestone, project: private_project_2, title: 'Private project without access milestone')
+      create(:milestone, project: public_project_2, title: 'Public project with milestones disabled milestone')
+      # milestones that should be visible
+      milestone_1 = create(:milestone, project: private_project_1, title: 'Private project with access milestone', state: 'closed')
+      milestone_2 = create(:milestone, project: internal_project, title: 'Internal project milestone')
+      milestone_3 = create(:milestone, project: public_project_1, title: 'Public project with milestones enabled milestone')
+      # Global search scope takes user authorized projects, internal projects and public projects.
+      limit_projects = ProjectsFinder.new(current_user: user).execute
+
+      milestones = described_class.new(user, limit_projects, 'milestone').objects('milestones')
+
+      expect(milestones).to match_array([milestone_1, milestone_2, milestone_3])
+    end
+  end
 end