Merge branch 'security-hide_merge_request_ids_on_emails' into 'master'

Prevent disclosure of merge request id via email See merge request gitlab/gitlabhq!3313
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:34:02 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:34:02 +0300
commit: 53661b1035c04b3bfe03751d4f82b060734a4fd6 (patch)
tree: f6f1f3ba71f49f7366b655fbdd21ab4db39e5161 /spec/services/issues
parent: fac22c13a8eac189fd531f6ae7016f6adaf64bcf (diff)
parent: fb93142488cfb79bac45f184b7945018550bf326 (diff)
1 files changed, 34 insertions, 6 deletions
diff --git a/spec/services/issues/close_service_spec.rb b/spec/services/issues/close_service_spec.rb
index 6874a8a0929..642a49d57d5 100644
--- a/spec/services/issues/close_service_spec.rb
+++ b/spec/services/issues/close_service_spec.rb
@@ -60,35 +60,63 @@ describe Issues::CloseService do
 
   describe '#close_issue' do
     context "closed by a merge request" do
-      before do
+      it 'mentions closure via a merge request' do
         perform_enqueued_jobs do
           described_class.new(project, user).close_issue(issue, closed_via: closing_merge_request)
         end
-      end
 
-      it 'mentions closure via a merge request' do
         email = ActionMailer::Base.deliveries.last
 
         expect(email.to.first).to eq(user2.email)
         expect(email.subject).to include(issue.title)
         expect(email.body.parts.map(&:body)).to all(include(closing_merge_request.to_reference))
       end
+
+      context 'when user cannot read merge request' do
+        it 'does not mention merge request' do
+          project.project_feature.update_attribute(:repository_access_level, ProjectFeature::DISABLED)
+          perform_enqueued_jobs do
+            described_class.new(project, user).close_issue(issue, closed_via: closing_merge_request)
+          end
+
+          email = ActionMailer::Base.deliveries.last
+          body_text = email.body.parts.map(&:body).join(" ")
+
+          expect(email.to.first).to eq(user2.email)
+          expect(email.subject).to include(issue.title)
+          expect(body_text).not_to include(closing_merge_request.to_reference)
+        end
+      end
     end
 
     context "closed by a commit" do
-      before do
+      it 'mentions closure via a commit' do
         perform_enqueued_jobs do
           described_class.new(project, user).close_issue(issue, closed_via: closing_commit)
         end
-      end
 
-      it 'mentions closure via a commit' do
         email = ActionMailer::Base.deliveries.last
 
         expect(email.to.first).to eq(user2.email)
         expect(email.subject).to include(issue.title)
         expect(email.body.parts.map(&:body)).to all(include(closing_commit.id))
       end
+
+      context 'when user cannot read the commit' do
+        it 'does not mention the commit id' do
+          project.project_feature.update_attribute(:repository_access_level, ProjectFeature::DISABLED)
+          perform_enqueued_jobs do
+            described_class.new(project, user).close_issue(issue, closed_via: closing_commit)
+          end
+
+          email = ActionMailer::Base.deliveries.last
+          body_text = email.body.parts.map(&:body).join(" ")
+
+          expect(email.to.first).to eq(user2.email)
+          expect(email.subject).to include(issue.title)
+          expect(body_text).not_to include(closing_commit.id)
+        end
+      end
     end
 
     context "valid params" do
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:34:02 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:34:02 +0300
commit	53661b1035c04b3bfe03751d4f82b060734a4fd6 (patch)
tree	f6f1f3ba71f49f7366b655fbdd21ab4db39e5161 /spec/services/issues
parent	fac22c13a8eac189fd531f6ae7016f6adaf64bcf (diff)
parent	fb93142488cfb79bac45f184b7945018550bf326 (diff)