Merge branch 'security-11-6' of dev.gitlab.org:gitlab/gitlabhq into 11-6-stable

6 files changed, 155 insertions, 7 deletions

diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb
index 362d5cc4514..01882383656 100644
--- a/spec/controllers/groups/group_members_controller_spec.rb
+++ b/spec/controllers/groups/group_members_controller_spec.rb
@@ -118,7 +118,7 @@ describe Groups::GroupMembersController do
         it '[HTML] removes user from members' do
           delete :destroy, group_id: group, id: member
 
-          expect(response).to set_flash.to 'User was successfully removed from group.'
+          expect(response).to set_flash.to 'User was successfully removed from group and any subresources.'
           expect(response).to redirect_to(group_group_members_path(group))
           expect(group.members).not_to include member
         end
diff --git a/spec/controllers/projects/snippets_controller_spec.rb b/spec/controllers/projects/snippets_controller_spec.rb
index 9c383bd7628..70bf182cdee 100644
--- a/spec/controllers/projects/snippets_controller_spec.rb
+++ b/spec/controllers/projects/snippets_controller_spec.rb
@@ -371,6 +371,46 @@ describe Projects::SnippetsController do
     end
   end
 
+  describe "GET #show for embeddable content" do
+    let(:project_snippet) { create(:project_snippet, snippet_permission, project: project, author: user) }
+
+    before do
+      sign_in(user)
+
+      get :show, namespace_id: project.namespace, project_id: project, id: project_snippet.to_param, format: :js
+    end
+
+    context 'when snippet is private' do
+      let(:snippet_permission) { :private }
+
+      it 'responds with status 404' do
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when snippet is public' do
+      let(:snippet_permission) { :public }
+
+      it 'responds with status 200' do
+        expect(assigns(:snippet)).to eq(project_snippet)
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
+
+    context 'when the project is private' do
+      let(:project) { create(:project_empty_repo, :private) }
+
+      context 'when snippet is public' do
+        let(:project_snippet) { create(:project_snippet, :public, project: project, author: user) }
+
+        it 'responds with status 404' do
+          expect(assigns(:snippet)).to eq(project_snippet)
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
+  end
+
   describe 'GET #raw' do
     let(:project_snippet) do
       create(
diff --git a/spec/controllers/snippets_controller_spec.rb b/spec/controllers/snippets_controller_spec.rb
index 957bab638b1..c1f9509e6cc 100644
--- a/spec/controllers/snippets_controller_spec.rb
+++ b/spec/controllers/snippets_controller_spec.rb
@@ -80,6 +80,12 @@ describe SnippetsController do
             expect(assigns(:snippet)).to eq(personal_snippet)
             expect(response).to have_gitlab_http_status(200)
           end
+
+          it 'responds with status 404 when embeddable content is requested' do
+            get :show, id: personal_snippet.to_param, format: :js
+
+            expect(response).to have_gitlab_http_status(404)
+          end
         end
       end
 
@@ -106,6 +112,12 @@ describe SnippetsController do
           expect(assigns(:snippet)).to eq(personal_snippet)
           expect(response).to have_gitlab_http_status(200)
         end
+
+        it 'responds with status 404 when embeddable content is requested' do
+          get :show, id: personal_snippet.to_param, format: :js
+
+          expect(response).to have_gitlab_http_status(404)
+        end
       end
 
       context 'when not signed in' do
@@ -131,6 +143,13 @@ describe SnippetsController do
           expect(assigns(:snippet)).to eq(personal_snippet)
           expect(response).to have_gitlab_http_status(200)
         end
+
+        it 'responds with status 200 when embeddable content is requested' do
+          get :show, id: personal_snippet.to_param, format: :js
+
+          expect(assigns(:snippet)).to eq(personal_snippet)
+          expect(response).to have_gitlab_http_status(200)
+        end
       end
 
       context 'when not signed in' do
diff --git a/spec/helpers/members_helper_spec.rb b/spec/helpers/members_helper_spec.rb
index 4590904c93d..908e8960f37 100644
--- a/spec/helpers/members_helper_spec.rb
+++ b/spec/helpers/members_helper_spec.rb
@@ -16,7 +16,7 @@ describe MembersHelper do
     it { expect(remove_member_message(project_member_invite)).to eq "Are you sure you want to revoke the invitation for #{project_member_invite.invite_email} to join the #{project.full_name} project?" }
     it { expect(remove_member_message(project_member_request)).to eq "Are you sure you want to deny #{requester.name}'s request to join the #{project.full_name} project?" }
     it { expect(remove_member_message(project_member_request, user: requester)).to eq "Are you sure you want to withdraw your access request for the #{project.full_name} project?" }
-    it { expect(remove_member_message(group_member)).to eq "Are you sure you want to remove #{group_member.user.name} from the #{group.name} group?" }
+    it { expect(remove_member_message(group_member)).to eq "Are you sure you want to remove #{group_member.user.name} from the #{group.name} group and any subresources?" }
     it { expect(remove_member_message(group_member_invite)).to eq "Are you sure you want to revoke the invitation for #{group_member_invite.invite_email} to join the #{group.name} group?" }
     it { expect(remove_member_message(group_member_request)).to eq "Are you sure you want to deny #{requester.name}'s request to join the #{group.name} group?" }
     it { expect(remove_member_message(group_member_request, user: requester)).to eq "Are you sure you want to withdraw your access request for the #{group.name} group?" }
@@ -33,7 +33,7 @@ describe MembersHelper do
 
     it { expect(remove_member_title(project_member)).to eq 'Remove user from project' }
     it { expect(remove_member_title(project_member_request)).to eq 'Deny access request from project' }
-    it { expect(remove_member_title(group_member)).to eq 'Remove user from group' }
+    it { expect(remove_member_title(group_member)).to eq 'Remove user from group and any subresources' }
     it { expect(remove_member_title(group_member_request)).to eq 'Deny access request from group' }
   end
 
diff --git a/spec/models/snippet_spec.rb b/spec/models/snippet_spec.rb
index 7a7272ccb60..664dc3fa145 100644
--- a/spec/models/snippet_spec.rb
+++ b/spec/models/snippet_spec.rb
@@ -423,4 +423,41 @@ describe Snippet do
       expect(blob.data).to eq(snippet.content)
     end
   end
+
+  describe '#embeddable?' do
+    context 'project snippet' do
+      [
+        { project: :public,   snippet: :public,   embeddable: true },
+        { project: :internal, snippet: :public,   embeddable: false },
+        { project: :private,  snippet: :public,   embeddable: false },
+        { project: :public,   snippet: :internal, embeddable: false },
+        { project: :internal, snippet: :internal, embeddable: false },
+        { project: :private,  snippet: :internal, embeddable: false },
+        { project: :public,   snippet: :private,  embeddable: false },
+        { project: :internal, snippet: :private,  embeddable: false },
+        { project: :private,  snippet: :private,  embeddable: false }
+      ].each do |combination|
+        it 'only returns true when both project and snippet are public' do
+          project = create(:project, combination[:project])
+          snippet = create(:project_snippet, combination[:snippet], project: project)
+
+          expect(snippet.embeddable?).to eq(combination[:embeddable])
+        end
+      end
+    end
+
+    context 'personal snippet' do
+      [
+        { snippet: :public,   embeddable: true },
+        { snippet: :internal, embeddable: false },
+        { snippet: :private,  embeddable: false }
+      ].each do |combination|
+        it 'only returns true when snippet is public' do
+          snippet = create(:personal_snippet, combination[:snippet])
+
+          expect(snippet.embeddable?).to eq(combination[:embeddable])
+        end
+      end
+    end
+  end
 end
diff --git a/spec/services/members/destroy_service_spec.rb b/spec/services/members/destroy_service_spec.rb
index 5aa7165e135..e872a537761 100644
--- a/spec/services/members/destroy_service_spec.rb
+++ b/spec/services/members/destroy_service_spec.rb
@@ -69,14 +69,14 @@ describe Members::DestroyService do
     it 'calls Member#after_decline_request' do
       expect_any_instance_of(NotificationService).to receive(:decline_access_request).with(member)
 
-      described_class.new(current_user).execute(member)
+      described_class.new(current_user).execute(member, opts)
     end
 
     context 'when current user is the member' do
       it 'does not call Member#after_decline_request' do
         expect_any_instance_of(NotificationService).not_to receive(:decline_access_request).with(member)
 
-        described_class.new(member_user).execute(member)
+        described_class.new(member_user).execute(member, opts)
       end
     end
   end
@@ -159,7 +159,7 @@ describe Members::DestroyService do
       end
 
       it_behaves_like 'a service destroying a member' do
-        let(:opts) { { skip_authorization: true } }
+        let(:opts) { { skip_authorization: true, skip_subresources: true } }
         let(:member) { group_project.requesters.find_by(user_id: member_user.id) }
       end
 
@@ -168,12 +168,14 @@ describe Members::DestroyService do
       end
 
       it_behaves_like 'a service destroying a member' do
-        let(:opts) { { skip_authorization: true } }
+        let(:opts) { { skip_authorization: true, skip_subresources: true  } }
         let(:member) { group.requesters.find_by(user_id: member_user.id) }
       end
     end
 
     context 'when current user can destroy the given access requester' do
+      let(:opts) { { skip_subresources: true } }
+
       before do
         group_project.add_maintainer(current_user)
         group.add_owner(current_user)
@@ -229,4 +231,54 @@ describe Members::DestroyService do
       end
     end
   end
+
+  context 'subresources' do
+    let(:user) { create(:user) }
+    let(:member_user) { create(:user) }
+    let(:opts) { {} }
+
+    let(:group) { create(:group, :public) }
+    let(:subgroup) { create(:group, parent: group) }
+    let(:subsubgroup) { create(:group, parent: subgroup) }
+    let(:subsubproject) { create(:project, group: subsubgroup) }
+
+    let(:group_project) { create(:project, :public, group: group) }
+    let(:control_project) { create(:project, group: subsubgroup) }
+
+    before do
+      create(:group_member, :developer, group: subsubgroup, user: member_user)
+
+      subsubproject.add_developer(member_user)
+      control_project.add_maintainer(user)
+      group.add_owner(user)
+
+      group_member = create(:group_member, :developer, group: group, user: member_user)
+
+      described_class.new(user).execute(group_member, opts)
+    end
+
+    it 'removes the project membership' do
+      expect(group_project.members.map(&:user)).not_to include(member_user)
+    end
+
+    it 'removes the group membership' do
+      expect(group.members.map(&:user)).not_to include(member_user)
+    end
+
+    it 'removes the subgroup membership', :postgresql do
+      expect(subgroup.members.map(&:user)).not_to include(member_user)
+    end
+
+    it 'removes the subsubgroup membership', :postgresql do
+      expect(subsubgroup.members.map(&:user)).not_to include(member_user)
+    end
+
+    it 'removes the subsubproject membership', :postgresql do
+      expect(subsubproject.members.map(&:user)).not_to include(member_user)
+    end
+
+    it 'does not remove the user from the control project' do
+      expect(control_project.members.map(&:user)).to include(user)
+    end
+  end
 end