Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

6 files changed, 308 insertions, 28 deletions

diff --git a/spec/controllers/confirmations_controller_spec.rb b/spec/controllers/confirmations_controller_spec.rb
new file mode 100644
index 00000000000..49a39f257fe
--- /dev/null
+++ b/spec/controllers/confirmations_controller_spec.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ConfirmationsController do
+  include DeviseHelpers
+
+  before do
+    set_devise_mapping(context: @request)
+  end
+
+  describe '#show' do
+    render_views
+
+    subject { get :show, params: { confirmation_token: confirmation_token } }
+
+    context 'user is already confirmed' do
+      let_it_be_with_reload(:user) { create(:user, :unconfirmed) }
+      let(:confirmation_token) { user.confirmation_token }
+
+      before do
+        user.confirm
+        subject
+      end
+
+      it 'renders `new`' do
+        expect(response).to render_template(:new)
+      end
+
+      it 'displays an error message' do
+        expect(response.body).to include('Email was already confirmed, please try signing in')
+      end
+
+      it 'does not display the email of the user' do
+        expect(response.body).not_to include(user.email)
+      end
+    end
+
+    context 'user accesses the link after the expiry of confirmation token has passed' do
+      let_it_be_with_reload(:user) { create(:user, :unconfirmed) }
+      let(:confirmation_token) { user.confirmation_token }
+
+      before do
+        allow(Devise).to receive(:confirm_within).and_return(1.day)
+
+        travel_to(3.days.from_now) do
+          subject
+        end
+      end
+
+      it 'renders `new`' do
+        expect(response).to render_template(:new)
+      end
+
+      it 'displays an error message' do
+        expect(response.body).to include('Email needs to be confirmed within 1 day, please request a new one below')
+      end
+
+      it 'does not display the email of the user' do
+        expect(response.body).not_to include(user.email)
+      end
+    end
+
+    context 'with an invalid confirmation token' do
+      let(:confirmation_token) { 'invalid_confirmation_token' }
+
+      before do
+        subject
+      end
+
+      it 'renders `new`' do
+        expect(response).to render_template(:new)
+      end
+
+      it 'displays an error message' do
+        expect(response.body).to include('Confirmation token is invalid')
+      end
+    end
+  end
+end
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index bec4b24484a..2e57a901319 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -247,32 +247,99 @@ RSpec.describe UsersController do
 
   describe 'GET #contributed' do
     let(:project) { create(:project, :public) }
-    let(:current_user) { create(:user) }
+
+    subject do
+      get :contributed, params: { username: author.username }, format: format
+    end
 
     before do
-      sign_in(current_user)
+      sign_in(user)
 
       project.add_developer(public_user)
       project.add_developer(private_user)
+      create(:push_event, project: project, author: author)
+
+      subject
     end
 
-    context 'with public profile' do
+    shared_examples_for 'renders contributed projects' do
       it 'renders contributed projects' do
-        create(:push_event, project: project, author: public_user)
+        expect(assigns[:contributed_projects]).not_to be_empty
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
 
-        get :contributed, params: { username: public_user.username }
+    %i(html json).each do |format|
+      context "format: #{format}" do
+        let(:format) { format }
 
-        expect(assigns[:contributed_projects]).not_to be_empty
+        context 'with public profile' do
+          let(:author) { public_user }
+
+          it_behaves_like 'renders contributed projects'
+        end
+
+        context 'with private profile' do
+          let(:author) { private_user }
+
+          it 'returns 404' do
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+
+          context 'with a user that has the ability to read private profiles', :enable_admin_mode do
+            let(:user) { create(:admin) }
+
+            it_behaves_like 'renders contributed projects'
+          end
+        end
+      end
+    end
+  end
+
+  describe 'GET #starred' do
+    let(:project) { create(:project, :public) }
+
+    subject do
+      get :starred, params: { username: author.username }, format: format
+    end
+
+    before do
+      author.toggle_star(project)
+
+      sign_in(user)
+      subject
+    end
+
+    shared_examples_for 'renders starred projects' do
+      it 'renders starred projects' do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(assigns[:starred_projects]).not_to be_empty
       end
     end
 
-    context 'with private profile' do
-      it 'does not render contributed projects' do
-        create(:push_event, project: project, author: private_user)
+    %i(html json).each do |format|
+      context "format: #{format}" do
+        let(:format) { format }
+
+        context 'with public profile' do
+          let(:author) { public_user }
+
+          it_behaves_like 'renders starred projects'
+        end
+
+        context 'with private profile' do
+          let(:author) { private_user }
+
+          it 'returns 404' do
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
 
-        get :contributed, params: { username: private_user.username }
+          context 'with a user that has the ability to read private profiles', :enable_admin_mode do
+            let(:user) { create(:admin) }
 
-        expect(assigns[:contributed_projects]).to be_empty
+            it_behaves_like 'renders starred projects'
+          end
+        end
       end
     end
   end
diff --git a/spec/finders/starred_projects_finder_spec.rb b/spec/finders/starred_projects_finder_spec.rb
index 15d4ae52ddd..f5d3314021d 100644
--- a/spec/finders/starred_projects_finder_spec.rb
+++ b/spec/finders/starred_projects_finder_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe StarredProjectsFinder do
   let(:project1) { create(:project, :public, :empty_repo) }
   let(:project2) { create(:project, :public, :empty_repo) }
-  let(:other_project) { create(:project, :public, :empty_repo) }
+  let(:private_project) { create(:project, :private, :empty_repo) }
 
   let(:user) { create(:user) }
   let(:other_user) { create(:user) }
@@ -13,6 +13,9 @@ RSpec.describe StarredProjectsFinder do
   before do
     user.toggle_star(project1)
     user.toggle_star(project2)
+
+    private_project.add_maintainer(user)
+    user.toggle_star(private_project)
   end
 
   describe '#execute' do
@@ -20,22 +23,56 @@ RSpec.describe StarredProjectsFinder do
 
     subject { finder.execute }
 
-    describe 'as same user' do
-      let(:current_user) { user }
+    context 'user has a public profile' do
+      describe 'as same user' do
+        let(:current_user) { user }
 
-      it { is_expected.to contain_exactly(project1, project2) }
-    end
+        it { is_expected.to contain_exactly(project1, project2, private_project) }
+      end
+
+      describe 'as other user' do
+        let(:current_user) { other_user }
 
-    describe 'as other user' do
-      let(:current_user) { other_user }
+        it { is_expected.to contain_exactly(project1, project2) }
+      end
 
-      it { is_expected.to contain_exactly(project1, project2) }
+      describe 'as no user' do
+        let(:current_user) { nil }
+
+        it { is_expected.to contain_exactly(project1, project2) }
+      end
     end
 
-    describe 'as no user' do
-      let(:current_user) { nil }
+    context 'user has a private profile' do
+      before do
+        user.update!(private_profile: true)
+      end
+
+      describe 'as same user' do
+        let(:current_user) { user }
+
+        it { is_expected.to contain_exactly(project1, project2, private_project) }
+      end
+
+      describe 'as other user' do
+        context 'user does not have access to view the private profile' do
+          let(:current_user) { other_user }
+
+          it { is_expected.to be_empty }
+        end
+
+        context 'user has access to view the private profile', :enable_admin_mode do
+          let(:current_user) { create(:admin) }
+
+          it { is_expected.to contain_exactly(project1, project2, private_project) }
+        end
+      end
+
+      describe 'as no user' do
+        let(:current_user) { nil }
 
-      it { is_expected.to contain_exactly(project1, project2) }
+        it { is_expected.to be_empty }
+      end
     end
   end
 end
diff --git a/spec/requests/api/graphql/user/starred_projects_query_spec.rb b/spec/requests/api/graphql/user/starred_projects_query_spec.rb
index 8a1bd3d172f..b098058a735 100644
--- a/spec/requests/api/graphql/user/starred_projects_query_spec.rb
+++ b/spec/requests/api/graphql/user/starred_projects_query_spec.rb
@@ -70,4 +70,31 @@ RSpec.describe 'Getting starredProjects of the user' do
       )
     end
   end
+
+  context 'the user has a private profile' do
+    before do
+      user.update!(private_profile: true)
+      post_graphql(query, current_user: current_user)
+    end
+
+    context 'the current user does not have access to view the private profile of the user' do
+      let(:current_user) { create(:user) }
+
+      it 'finds no projects' do
+        expect(starred_projects).to be_empty
+      end
+    end
+
+    context 'the current user has access to view the private profile of the user' do
+      let(:current_user) { create(:admin) }
+
+      it 'finds all projects starred by the user, which the current user has access to' do
+        expect(starred_projects).to contain_exactly(
+          a_hash_including('id' => global_id_of(project_a)),
+          a_hash_including('id' => global_id_of(project_b)),
+          a_hash_including('id' => global_id_of(project_c))
+        )
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 4a792fc218d..234ac1778fd 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1255,13 +1255,46 @@ RSpec.describe API::Projects do
       expect(json_response['message']).to eq('404 User Not Found')
     end
 
-    it 'returns projects filtered by user' do
-      get api("/users/#{user3.id}/starred_projects/", user)
+    context 'with a public profile' do
+      it 'returns projects filtered by user' do
+        get api("/users/#{user3.id}/starred_projects/", user)
 
-      expect(response).to have_gitlab_http_status(:ok)
-      expect(response).to include_pagination_headers
-      expect(json_response).to be_an Array
-      expect(json_response.map { |project| project['id'] }).to contain_exactly(project.id, project2.id, project3.id)
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.map { |project| project['id'] })
+          .to contain_exactly(project.id, project2.id, project3.id)
+      end
+    end
+
+    context 'with a private profile' do
+      before do
+        user3.update!(private_profile: true)
+        user3.reload
+      end
+
+      context 'user does not have access to view the private profile' do
+        it 'returns no projects' do
+          get api("/users/#{user3.id}/starred_projects/", user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to be_an Array
+          expect(json_response).to be_empty
+        end
+      end
+
+      context 'user has access to view the private profile' do
+        it 'returns projects filtered by user' do
+          get api("/users/#{user3.id}/starred_projects/", admin)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to be_an Array
+          expect(json_response.map { |project| project['id'] })
+            .to contain_exactly(project.id, project2.id, project3.id)
+        end
+      end
     end
   end
 
diff --git a/spec/validators/zoom_url_validator_spec.rb b/spec/validators/zoom_url_validator_spec.rb
new file mode 100644
index 00000000000..7d5c94bc249
--- /dev/null
+++ b/spec/validators/zoom_url_validator_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ZoomUrlValidator do
+  let(:zoom_meeting) { build(:zoom_meeting) }
+
+  describe 'validations' do
+    context 'when zoom link starts with https' do
+      it 'passes validation' do
+        zoom_meeting.url = 'https://zoom.us/j/123456789'
+
+        expect(zoom_meeting.valid?).to eq(true)
+        expect(zoom_meeting.errors).to be_empty
+      end
+    end
+
+    shared_examples 'zoom link does not start with https' do |url|
+      it 'fails validation' do
+        zoom_meeting.url = url
+        expect(zoom_meeting.valid?).to eq(false)
+
+        expect(zoom_meeting.errors).to be_present
+        expect(zoom_meeting.errors.first[1]).to eq 'must contain one valid Zoom URL'
+      end
+    end
+
+    context 'when zoom link does not start with https' do
+      include_examples 'zoom link does not start with https', 'http://zoom.us/j/123456789'
+
+      context 'when zoom link does not start with a scheme' do
+        include_examples 'zoom link does not start with https', 'testinghttp://zoom.us/j/123456789'
+      end
+    end
+  end
+end