diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-05-20 17:08:31 +0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-05-20 17:08:34 +0300 |
commit | b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch) | |
tree | f2ce52b008b39683db353f07723d14e104b0b250 /spec/lib/gitlab/search_results_spec.rb | |
parent | 1602ce28c65125f045e36c4420dafd6a7788d37c (diff) |
Resolve: Milestones leaked via search API
Fix milestone titles being leaked using search API
when users cannot read milestones
Diffstat (limited to 'spec/lib/gitlab/search_results_spec.rb')
-rw-r--r-- | spec/lib/gitlab/search_results_spec.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb index 312aa3be490..3d27156b356 100644 --- a/spec/lib/gitlab/search_results_spec.rb +++ b/spec/lib/gitlab/search_results_spec.rb @@ -256,4 +256,28 @@ describe Gitlab::SearchResults do expect(results.objects('merge_requests')).not_to include merge_request end + + context 'milestones' do + it 'returns correct set of milestones' do + private_project_1 = create(:project, :private) + private_project_2 = create(:project, :private) + internal_project = create(:project, :internal) + public_project_1 = create(:project, :public) + public_project_2 = create(:project, :public, :issues_disabled, :merge_requests_disabled) + private_project_1.add_developer(user) + # milestones that should not be visible + create(:milestone, project: private_project_2, title: 'Private project without access milestone') + create(:milestone, project: public_project_2, title: 'Public project with milestones disabled milestone') + # milestones that should be visible + milestone_1 = create(:milestone, project: private_project_1, title: 'Private project with access milestone', state: 'closed') + milestone_2 = create(:milestone, project: internal_project, title: 'Internal project milestone') + milestone_3 = create(:milestone, project: public_project_1, title: 'Public project with milestones enabled milestone') + # Global search scope takes user authorized projects, internal projects and public projects. + limit_projects = ProjectsFinder.new(current_user: user).execute + + milestones = described_class.new(user, limit_projects, 'milestone').objects('milestones') + + expect(milestones).to match_array([milestone_1, milestone_2, milestone_3]) + end + end end |