Merge branch 'security-59581-related-merge-requests-count' into 'master'

Expose merge requests count based on user access

See merge request gitlab/gitlabhq!3157

3 files changed, 92 insertions, 27 deletions

diff --git a/spec/requests/api/issues/get_group_issues_spec.rb b/spec/requests/api/issues/get_group_issues_spec.rb
index 8b02cf56e9f..9a41d790945 100644
--- a/spec/requests/api/issues/get_group_issues_spec.rb
+++ b/spec/requests/api/issues/get_group_issues_spec.rb
@@ -23,7 +23,11 @@ describe API::Issues do
 
   describe 'GET /groups/:id/issues' do
     let!(:group)            { create(:group) }
-    let!(:group_project)    { create(:project, :public, creator_id: user.id, namespace: group) }
+    let!(:group_project)    { create(:project, :public, :repository, creator_id: user.id, namespace: group) }
+    let!(:private_mrs_project) do
+      create(:project, :public, :repository, creator_id: user.id, namespace: group, merge_requests_access_level: ProjectFeature::PRIVATE)
+    end
+
     let!(:group_closed_issue) do
       create :closed_issue,
         author: user,
@@ -234,6 +238,30 @@ describe API::Issues do
             it_behaves_like 'group issues statistics'
           end
         end
+
+        context "when returns issue merge_requests_count for different access levels" do
+          let!(:merge_request1) do
+            create(:merge_request,
+                   :simple,
+                   author: user,
+                   source_project: private_mrs_project,
+                   target_project: private_mrs_project,
+                   description: "closes #{group_issue.to_reference(private_mrs_project)}")
+          end
+          let!(:merge_request2) do
+            create(:merge_request,
+                   :simple,
+                   author: user,
+                   source_project: group_project,
+                   target_project: group_project,
+                   description: "closes #{group_issue.to_reference}")
+          end
+
+          it_behaves_like 'accessible merge requests count' do
+            let(:api_url) { base_url }
+            let(:target_issue) { group_issue }
+          end
+        end
       end
     end
 
diff --git a/spec/requests/api/issues/get_project_issues_spec.rb b/spec/requests/api/issues/get_project_issues_spec.rb
index 0b0f754ab57..f7ca6fd1e0a 100644
--- a/spec/requests/api/issues/get_project_issues_spec.rb
+++ b/spec/requests/api/issues/get_project_issues_spec.rb
@@ -4,8 +4,9 @@ require 'spec_helper'
 
 describe API::Issues do
   set(:user) { create(:user) }
-  set(:project) do
-    create(:project, :public, creator_id: user.id, namespace: user.namespace)
+  set(:project) { create(:project, :public, :repository, creator_id: user.id, namespace: user.namespace) }
+  set(:private_mrs_project) do
+    create(:project, :public, :repository, creator_id: user.id, namespace: user.namespace, merge_requests_access_level: ProjectFeature::PRIVATE)
   end
 
   let(:user2)       { create(:user) }
@@ -60,9 +61,28 @@ describe API::Issues do
   let(:no_milestone_title) { 'None' }
   let(:any_milestone_title) { 'Any' }
 
+  let!(:merge_request1) do
+    create(:merge_request,
+           :simple,
+           author: user,
+           source_project: project,
+           target_project: project,
+           description: "closes #{issue.to_reference}")
+  end
+  let!(:merge_request2) do
+    create(:merge_request,
+           :simple,
+           author: user,
+           source_project: private_mrs_project,
+           target_project: private_mrs_project,
+           description: "closes #{issue.to_reference(private_mrs_project)}")
+  end
+
   before(:all) do
     project.add_reporter(user)
     project.add_guest(guest)
+    private_mrs_project.add_reporter(user)
+    private_mrs_project.add_guest(guest)
   end
 
   before do
@@ -257,6 +277,11 @@ describe API::Issues do
       expect_paginated_array_response(issue.id)
     end
 
+    it_behaves_like 'accessible merge requests count' do
+      let(:api_url) { "/projects/#{project.id}/issues" }
+      let(:target_issue) { issue }
+    end
+
     context 'with labeled issues' do
       let(:label_b) { create(:label, title: 'foo', project: project) }
       let(:label_c) { create(:label, title: 'bar', project: project) }
@@ -636,34 +661,26 @@ describe API::Issues do
         expect(json_response['iid']).to eq(confidential_issue.iid)
       end
     end
-  end
-
-  describe 'GET :id/issues/:issue_iid/closed_by' do
-    let(:merge_request) do
-      create(:merge_request,
-        :simple,
-        author: user,
-        source_project: project,
-        target_project: project,
-        description: "closes #{issue.to_reference}")
-    end
 
-    before do
-      create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request)
+    it_behaves_like 'accessible merge requests count' do
+      let(:api_url) { "/projects/#{project.id}/issues/#{issue.iid}" }
+      let(:target_issue) { issue }
     end
+  end
 
+  describe 'GET :id/issues/:issue_iid/closed_by' do
     context 'when unauthenticated' do
       it 'return public project issues' do
         get api("/projects/#{project.id}/issues/#{issue.iid}/closed_by")
 
-        expect_paginated_array_response(merge_request.id)
+        expect_paginated_array_response(merge_request1.id)
       end
     end
 
     it 'returns merge requests that will close issue on merge' do
       get api("/projects/#{project.id}/issues/#{issue.iid}/closed_by", user)
 
-      expect_paginated_array_response(merge_request.id)
+      expect_paginated_array_response(merge_request1.id)
     end
 
     context 'when no merge requests will close issue' do
@@ -721,13 +738,6 @@ describe API::Issues do
     end
 
     it 'returns merge requests that mentioned a issue' do
-      create(:merge_request,
-        :simple,
-        author: user,
-        source_project: project,
-        target_project: project,
-        description: 'Some description')
-
       get_related_merge_requests(project.id, issue.iid, user)
 
       expect_paginated_array_response(related_mr.id)
diff --git a/spec/requests/api/issues/issues_spec.rb b/spec/requests/api/issues/issues_spec.rb
index f32ffd1c77b..d195f54be11 100644
--- a/spec/requests/api/issues/issues_spec.rb
+++ b/spec/requests/api/issues/issues_spec.rb
@@ -4,8 +4,9 @@ require 'spec_helper'
 
 describe API::Issues do
   set(:user) { create(:user) }
-  set(:project) do
-    create(:project, :public, creator_id: user.id, namespace: user.namespace)
+  set(:project) { create(:project, :public, :repository, creator_id: user.id, namespace: user.namespace) }
+  set(:private_mrs_project) do
+    create(:project, :public, :repository, creator_id: user.id, namespace: user.namespace, merge_requests_access_level: ProjectFeature::PRIVATE)
   end
 
   let(:user2)       { create(:user) }
@@ -63,6 +64,8 @@ describe API::Issues do
   before(:all) do
     project.add_reporter(user)
     project.add_guest(guest)
+    private_mrs_project.add_reporter(user)
+    private_mrs_project.add_guest(guest)
   end
 
   before do
@@ -725,6 +728,30 @@ describe API::Issues do
         end
       end
     end
+
+    context "when returns issue merge_requests_count for different access levels" do
+      let!(:merge_request1) do
+        create(:merge_request,
+               :simple,
+               author: user,
+               source_project: private_mrs_project,
+               target_project: private_mrs_project,
+               description: "closes #{issue.to_reference(private_mrs_project)}")
+      end
+      let!(:merge_request2) do
+        create(:merge_request,
+               :simple,
+               author: user,
+               source_project: project,
+               target_project: project,
+               description: "closes #{issue.to_reference}")
+      end
+
+      it_behaves_like 'accessible merge requests count' do
+        let(:api_url) { "/issues" }
+        let(:target_issue) { issue }
+      end
+    end
   end
 
   describe 'DELETE /projects/:id/issues/:issue_iid' do