diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-07 20:09:00 +0300 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-17 20:47:53 +0300 |
commit | 28acd2b087d5b80cd89354d58f937aed0f4928cb (patch) | |
tree | 0eda3c8ee7be722d51a390c750f1fd39dd88276b /spec/requests/api | |
parent | 75262862c434a98b9183a4a63f3ad86dec52b079 (diff) |
Hide confidential events in ruby
We're filtering the events using `Event#visible_to_user?`.
At most we're loading 100 events at once.
Pagination is also dealt with in the finder, but the resulting array
is wrapped in a `Kaminari.paginate_array` so the API's pagination
helpers keep working. We're passing the total count into that
paginatable array, which would include confidential events. But we're
not disclosing anything.
Diffstat (limited to 'spec/requests/api')
-rw-r--r-- | spec/requests/api/events_spec.rb | 62 | ||||
-rw-r--r-- | spec/requests/api/redacted_events_spec.rb | 68 |
2 files changed, 62 insertions, 68 deletions
diff --git a/spec/requests/api/events_spec.rb b/spec/requests/api/events_spec.rb index 573eebe314d..c4e3ac14441 100644 --- a/spec/requests/api/events_spec.rb +++ b/spec/requests/api/events_spec.rb @@ -182,6 +182,68 @@ describe API::Events do end end + context 'with inaccessible events' do + let(:public_project) { create(:project, :public, creator_id: user.id, namespace: user.namespace) } + let(:confidential_issue) { create(:closed_issue, confidential: true, project: public_project, author: user) } + let!(:confidential_event) { create(:event, project: public_project, author: user, target: confidential_issue, action: Event::CLOSED) } + let(:public_issue) { create(:closed_issue, project: public_project, author: user) } + let!(:public_event) { create(:event, project: public_project, author: user, target: public_issue, action: Event::CLOSED) } + + it 'returns only accessible events' do + get api("/projects/#{public_project.id}/events", non_member) + + expect(response).to have_gitlab_http_status(200) + expect(json_response.size).to eq(1) + end + + it 'returns all events when the user has access' do + get api("/projects/#{public_project.id}/events", user) + + expect(response).to have_gitlab_http_status(200) + expect(json_response.size).to eq(2) + end + end + + context 'pagination' do + let(:public_project) { create(:project, :public) } + + before do + create(:event, + project: public_project, + target: create(:issue, project: public_project, title: 'Issue 1'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-10')) + create(:event, + project: public_project, + target: create(:issue, confidential: true, project: public_project, title: 'Confidential event'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-11')) + create(:event, + project: public_project, + target: create(:issue, project: public_project, title: 'Issue 2'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-12')) + end + + it 'correctly returns the second page without inaccessible events' do + get api("/projects/#{public_project.id}/events", user), per_page: 2, page: 2 + + titles = json_response.map { |event| event['target_title'] } + + expect(titles.first).to eq('Issue 1') + expect(titles).not_to include('Confidential event') + end + + it 'correctly returns the first page without inaccessible events' do + get api("/projects/#{public_project.id}/events", user), per_page: 2, page: 1 + + titles = json_response.map { |event| event['target_title'] } + + expect(titles.first).to eq('Issue 2') + expect(titles).not_to include('Confidential event') + end + end + context 'when not permitted to read' do it 'returns 404' do get api("/projects/#{private_project.id}/events", non_member) diff --git a/spec/requests/api/redacted_events_spec.rb b/spec/requests/api/redacted_events_spec.rb deleted file mode 100644 index 086dd3df9ba..00000000000 --- a/spec/requests/api/redacted_events_spec.rb +++ /dev/null @@ -1,68 +0,0 @@ -require 'spec_helper' - -describe 'Redacted events in API::Events' do - shared_examples 'private events are redacted' do - it 'redacts events the user does not have access to' do - expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original - - get api(path), user - - expect(response).to have_gitlab_http_status(200) - expect(json_response).to contain_exactly( - 'project_id' => nil, - 'action_name' => nil, - 'target_id' => nil, - 'target_iid' => nil, - 'target_type' => nil, - 'author_id' => nil, - 'target_title' => 'Confidential event', - 'created_at' => nil, - 'author_username' => nil - ) - end - end - - describe '/users/:id/events' do - let(:project) { create(:project, :public) } - let(:path) { "/users/#{project.owner.id}/events" } - let(:issue) { create(:issue, :confidential, project: project) } - - before do - EventCreateService.new.open_issue(issue, issue.author) - end - - context 'unauthenticated user views another user with private events' do - let(:user) { nil } - - include_examples 'private events are redacted' - end - - context 'authenticated user without access views another user with private events' do - let(:user) { create(:user) } - - include_examples 'private events are redacted' - end - end - - describe '/projects/:id/events' do - let(:project) { create(:project, :public) } - let(:path) { "/projects/#{project.id}/events" } - let(:issue) { create(:issue, :confidential, project: project) } - - before do - EventCreateService.new.open_issue(issue, issue.author) - end - - context 'unauthenticated user views public project' do - let(:user) { nil } - - include_examples 'private events are redacted' - end - - context 'authenticated user without access views public project' do - let(:user) { create(:user) } - - include_examples 'private events are redacted' - end - end -end |