Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id

See merge request !2077

2 files changed, 24 insertions, 0 deletions

diff --git a/spec/features/groups_spec.rb b/spec/features/groups_spec.rb
index d243f9478bb..5bfe661c6d1 100644
--- a/spec/features/groups_spec.rb
+++ b/spec/features/groups_spec.rb
@@ -100,6 +100,16 @@ feature 'Group', feature: true do
     end
   end
 
+  it 'checks permissions to avoid exposing groups by parent_id' do
+    group = create(:group, :private, path: 'secret-group')
+
+    logout
+    login_as(:user)
+    visit new_group_path(parent_id: group.id)
+
+    expect(page).not_to have_content('secret-group')
+  end
+
   describe 'group edit' do
     let(:group) { create(:group) }
     let(:path)  { edit_group_path(group) }
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 7c0fccb9d41..c88ce38d728 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
         end
       end
     end
+
+    context "with parent_id user doesn't have permissions for" do
+      let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+      before do
+        service.execute
+      end
+
+      it 'does not update parent_id' do
+        updated_group = public_group.reload
+
+        expect(updated_group.parent_id).to be_nil
+      end
+    end
   end
 
   context "unauthorized visibility_level validation" do