Merge branch 'security-fix_milestones_search_api_leak' into 'master'

Resolve: Milestones leaked via search API Closes #2822 See merge request gitlab/gitlabhq!2997
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 15:34:07 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 15:34:07 +0300
commit: 38e4977dc7931aea13f496cafd3ed7d15d5ec93e (patch)
tree: dea9ebb60dbdab61dd5933cc4405353704356306 /spec/requests/api/search_spec.rb
parent: 5dc6c8f2d08534281b0e1adf404af0e8642eb407 (diff)
parent: b70b43d07ec27c6410e4a8d7ad417662a8823f8f (diff)
1 files changed, 42 insertions, 4 deletions
diff --git a/spec/requests/api/search_spec.rb b/spec/requests/api/search_spec.rb
index 7d61ec9c4d8..3e0b478abb3 100644
--- a/spec/requests/api/search_spec.rb
+++ b/spec/requests/api/search_spec.rb
@@ -70,11 +70,30 @@ describe API::Search do
       context 'for milestones scope' do
         before do
           create(:milestone, project: project, title: 'awesome milestone')
+        end
+
+        context 'when user can read project milestones' do
+          before do
+            get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+          end
 
-          get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+          it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
         end
 
-        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+        context 'when user cannot read project milestones' do
+          before do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+            project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+          end
+
+          it 'returns empty array' do
+            get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+
+            milestones = JSON.parse(response.body)
+
+            expect(milestones).to be_empty
+          end
+        end
       end
 
       context 'for users scope' do
@@ -318,11 +337,30 @@ describe API::Search do
       context 'for milestones scope' do
         before do
           create(:milestone, project: project, title: 'awesome milestone')
+        end
+
+        context 'when user can read milestones' do
+          before do
+            get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+          end
 
-          get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+          it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
         end
 
-        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+        context 'when user cannot read project milestones' do
+          before do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+            project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+          end
+
+          it 'returns empty array' do
+            get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+
+            milestones = JSON.parse(response.body)
+
+            expect(milestones).to be_empty
+          end
+        end
       end
 
       context 'for users scope' do
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 15:34:07 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 15:34:07 +0300
commit	38e4977dc7931aea13f496cafd3ed7d15d5ec93e (patch)
tree	dea9ebb60dbdab61dd5933cc4405353704356306 /spec/requests/api/search_spec.rb
parent	5dc6c8f2d08534281b0e1adf404af0e8642eb407 (diff)
parent	b70b43d07ec27c6410e4a8d7ad417662a8823f8f (diff)