From 2d1166d80360db950d1d3ec5256b7d3a47ff10e8 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Thu, 30 Jun 2016 16:13:25 +0000 Subject: Merge branch '18033-private-repo-mentions' into 'master' Ensure logged-out users can't see private refs https://gitlab.com/gitlab-org/gitlab-ce/issues/18033 I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10. See merge request !1974 (cherry picked from commit 3a6ebb1fd624c216a4ce65380e64072793b7ccda) --- CHANGELOG | 1 + app/models/concerns/mentionable.rb | 2 +- app/services/todo_service.rb | 2 +- spec/models/concerns/mentionable_spec.rb | 37 ++++++++++++++++++++++++++++++++ 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 009268995c3..9bb03dcb13c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 8.8.7 - Fix privilege escalation issue with OAuth external users. + - Ensure references to private repos aren't shown to logged-out users. v 8.8.6 - Fix visibility of snippets when searching. diff --git a/app/models/concerns/mentionable.rb b/app/models/concerns/mentionable.rb index b381d225485..2621c0fecf2 100644 --- a/app/models/concerns/mentionable.rb +++ b/app/models/concerns/mentionable.rb @@ -44,7 +44,7 @@ module Mentionable end def all_references(current_user = nil, text = nil) - ext = Gitlab::ReferenceExtractor.new(self.project, current_user || self.author, self.author) + ext = Gitlab::ReferenceExtractor.new(self.project, current_user, self.author) if text ext.analyze(text) diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb index 4bf4e144727..c259c2fc75f 100644 --- a/app/services/todo_service.rb +++ b/app/services/todo_service.rb @@ -200,7 +200,7 @@ class TodoService end def filter_mentioned_users(project, target, author) - mentioned_users = target.mentioned_users + mentioned_users = target.mentioned_users(author) mentioned_users = reject_users_without_access(mentioned_users, project, target) mentioned_users.delete(author) mentioned_users.uniq diff --git a/spec/models/concerns/mentionable_spec.rb b/spec/models/concerns/mentionable_spec.rb index cb33edde820..0344dae8b5d 100644 --- a/spec/models/concerns/mentionable_spec.rb +++ b/spec/models/concerns/mentionable_spec.rb @@ -29,6 +29,43 @@ describe Issue, "Mentionable" do it { is_expected.not_to include(user2) } end + describe '#referenced_mentionables' do + context 'with an issue on a private project' do + let(:project) { create(:empty_project, :public) } + let(:issue) { create(:issue, project: project) } + let(:public_issue) { create(:issue, project: project) } + let(:private_project) { create(:empty_project, :private) } + let(:private_issue) { create(:issue, project: private_project) } + let(:user) { create(:user) } + + def referenced_issues(current_user) + text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}" + + issue.referenced_mentionables(current_user, text) + end + + context 'when the current user can see the issue' do + before { private_project.team << [user, Gitlab::Access::DEVELOPER] } + + it 'includes the reference' do + expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue) + end + end + + context 'when the current user cannot see the issue' do + it 'does not include the reference' do + expect(referenced_issues(user)).to contain_exactly(public_issue) + end + end + + context 'when there is no current user' do + it 'does not include the reference' do + expect(referenced_issues(nil)).to contain_exactly(public_issue) + end + end + end + end + describe '#create_cross_references!' do let(:project) { create(:project) } let(:author) { double('author') } -- cgit v1.2.3