Resolve: Milestones leaked via search API

Fix milestone titles being leaked using search API when users cannot read milestones
author: Felipe Artur <felipefac@gmail.com> 2019-05-20 17:08:31 +0300
committer: Felipe Artur <felipefac@gmail.com> 2019-05-20 17:08:34 +0300
commit: b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch)
tree: f2ce52b008b39683db353f07723d14e104b0b250 /spec/requests/api/search_spec.rb
parent: 1602ce28c65125f045e36c4420dafd6a7788d37c (diff)
1 files changed, 42 insertions, 4 deletions
diff --git a/spec/requests/api/search_spec.rb b/spec/requests/api/search_spec.rb
index 49672591b3b..42e0efa10b7 100644
--- a/spec/requests/api/search_spec.rb
+++ b/spec/requests/api/search_spec.rb
@@ -70,11 +70,30 @@ describe API::Search do
       context 'for milestones scope' do
         before do
           create(:milestone, project: project, title: 'awesome milestone')
+        end
+
+        context 'when user can read project milestones' do
+          before do
+            get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+          end
 
-          get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+          it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
         end
 
-        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+        context 'when user cannot read project milestones' do
+          before do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+            project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+          end
+
+          it 'returns empty array' do
+            get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
+
+            milestones = JSON.parse(response.body)
+
+            expect(milestones).to be_empty
+          end
+        end
       end
 
       context 'for users scope' do
@@ -318,11 +337,30 @@ describe API::Search do
       context 'for milestones scope' do
         before do
           create(:milestone, project: project, title: 'awesome milestone')
+        end
+
+        context 'when user can read milestones' do
+          before do
+            get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+          end
 
-          get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+          it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
         end
 
-        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+        context 'when user cannot read project milestones' do
+          before do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+            project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+          end
+
+          it 'returns empty array' do
+            get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
+
+            milestones = JSON.parse(response.body)
+
+            expect(milestones).to be_empty
+          end
+        end
       end
 
       context 'for users scope' do
author	Felipe Artur <felipefac@gmail.com>	2019-05-20 17:08:31 +0300
committer	Felipe Artur <felipefac@gmail.com>	2019-05-20 17:08:34 +0300
commit	b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch)
tree	f2ce52b008b39683db353f07723d14e104b0b250 /spec/requests/api/search_spec.rb
parent	1602ce28c65125f045e36c4420dafd6a7788d37c (diff)