Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable'

Labels visible despite no access to issues & repositories See merge request gitlab/gitlabhq!3489
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-24 21:53:17 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-24 21:53:17 +0300
commit: c9bcf8fc693c82000181b314f7d0240747e62d02 (patch)
tree: 31994fb5855e2b8a25ac8ef809ed9d7b5689ab95 /spec
parent: 853618e05f6fea4a3a48822601c60a89830269f4 (diff)
parent: b58dd075d32e852e6c7ab306c84945cb5d73c06a (diff)
2 files changed, 85 insertions, 2 deletions
diff --git a/spec/finders/labels_finder_spec.rb b/spec/finders/labels_finder_spec.rb
index 2681f098fec..7590c399cf9 100644
--- a/spec/finders/labels_finder_spec.rb
+++ b/spec/finders/labels_finder_spec.rb
@@ -128,6 +128,89 @@ describe LabelsFinder do
           expect(finder.execute).to eq [private_subgroup_label_1]
         end
       end
+
+      context 'when including labels from group projects with limited visibility' do
+        let(:finder)                     { described_class.new(user, group_id: group_4.id) }
+        let(:group_4)                    { create(:group) }
+        let(:limited_visibility_project) { create(:project, :public, group: group_4) }
+        let(:visible_project)            { create(:project, :public, group: group_4) }
+        let!(:group_label_1)             { create(:group_label, group: group_4) }
+        let!(:limited_visibility_label)  { create(:label, project: limited_visibility_project) }
+        let!(:visible_label)             { create(:label, project: visible_project) }
+
+        shared_examples 'with full visibility' do
+          it 'returns all projects labels' do
+            expect(finder.execute).to eq [group_label_1, limited_visibility_label, visible_label]
+          end
+        end
+
+        shared_examples 'with limited visibility' do
+          it 'returns only authorized projects labels' do
+            expect(finder.execute).to eq [group_label_1, visible_label]
+          end
+        end
+
+        context 'when merge requests and issues are not visible for non members' do
+          before do
+            limited_visibility_project.project_feature.update!(
+              merge_requests_access_level: ProjectFeature::PRIVATE,
+              issues_access_level: ProjectFeature::PRIVATE
+            )
+          end
+
+          context 'when user is not a group member' do
+            it_behaves_like 'with limited visibility'
+          end
+
+          context 'when user is a group member' do
+            before do
+              group_4.add_developer(user)
+            end
+
+            it_behaves_like 'with full visibility'
+          end
+        end
+
+        context 'when merge requests are not visible for non members' do
+          before do
+            limited_visibility_project.project_feature.update!(
+              merge_requests_access_level: ProjectFeature::PRIVATE
+            )
+          end
+
+          context 'when user is not a group member' do
+            it_behaves_like 'with full visibility'
+          end
+
+          context 'when user is a group member' do
+            before do
+              group_4.add_developer(user)
+            end
+
+            it_behaves_like 'with full visibility'
+          end
+        end
+
+        context 'when issues are not visible for non members' do
+          before do
+            limited_visibility_project.project_feature.update!(
+              issues_access_level: ProjectFeature::PRIVATE
+            )
+          end
+
+          context 'when user is not a group member' do
+            it_behaves_like 'with full visibility'
+          end
+
+          context 'when user is a group member' do
+            before do
+              group_4.add_developer(user)
+            end
+
+            it_behaves_like 'with full visibility'
+          end
+        end
+      end
     end
 
     context 'filtering by project_id' do
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index be2ea2e63ee..1bda3094e75 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -3416,7 +3416,7 @@ describe Project do
     end
   end
 
-  describe '.ids_with_milestone_available_for' do
+  describe '.ids_with_issuables_available_for' do
     let!(:user) { create(:user) }
 
     it 'returns project ids with milestones available for user' do
@@ -3426,7 +3426,7 @@ describe Project do
       project_4 = create(:project, :public)
       project_4.project_feature.update(issues_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE )
 
-      project_ids = described_class.ids_with_milestone_available_for(user).pluck(:id)
+      project_ids = described_class.ids_with_issuables_available_for(user).pluck(:id)
 
       expect(project_ids).to include(project_2.id, project_3.id)
       expect(project_ids).not_to include(project_1.id, project_4.id)
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-24 21:53:17 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-24 21:53:17 +0300
commit	c9bcf8fc693c82000181b314f7d0240747e62d02 (patch)
tree	31994fb5855e2b8a25ac8ef809ed9d7b5689ab95 /spec
parent	853618e05f6fea4a3a48822601c60a89830269f4 (diff)
parent	b58dd075d32e852e6c7ab306c84945cb5d73c06a (diff)