From 66ebf02c05dc69a65731d61baf28ef3335db2bbf Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 4 Dec 2020 16:49:26 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

---
 spec/requests/api/graphql/user_query_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'spec/requests')

diff --git a/spec/requests/api/graphql/user_query_spec.rb b/spec/requests/api/graphql/user_query_spec.rb
index 738e120549e..ef313504388 100644
--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
             'username' => presenter.username,
             'webUrl' => presenter.web_url,
             'avatarUrl' => presenter.avatar_url,
-            'email' => presenter.email
+            'email' => presenter.public_email
           ))
 
         expect(graphql_data['user']['status']).to match(
-- 
cgit v1.2.3


From aefe6486cf0d193067112b90145083d73b96bfef Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 4 Dec 2020 16:51:40 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

---
 spec/requests/api/graphql/user_query_spec.rb | 46 +++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

(limited to 'spec/requests')

diff --git a/spec/requests/api/graphql/user_query_spec.rb b/spec/requests/api/graphql/user_query_spec.rb
index ef313504388..8c45a67cb0f 100644
--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -250,7 +250,7 @@ RSpec.describe 'getting user information' do
 
     context 'the user is private' do
       before do
-        user.update(private_profile: true)
+        user.update!(private_profile: true)
         post_graphql(query, current_user: current_user)
       end
 
@@ -260,6 +260,50 @@ RSpec.describe 'getting user information' do
         it_behaves_like 'a working graphql query'
       end
 
+      context 'we request the groupMemberships' do
+        let_it_be(:membership_a) { create(:group_member, user: user) }
+        let(:group_memberships) { graphql_data_at(:user, :group_memberships, :nodes) }
+        let(:user_fields) { 'groupMemberships { nodes { id } }' }
+
+        it_behaves_like 'a working graphql query'
+
+        it 'cannot be found' do
+          expect(group_memberships).to be_empty
+        end
+
+        context 'the current user is the user' do
+          let(:current_user) { user }
+
+          it 'can be found' do
+            expect(group_memberships).to include(
+              a_hash_including('id' => global_id_of(membership_a))
+            )
+          end
+        end
+      end
+
+      context 'we request the projectMemberships' do
+        let_it_be(:membership_a) { create(:project_member, user: user) }
+        let(:project_memberships) { graphql_data_at(:user, :project_memberships, :nodes) }
+        let(:user_fields) { 'projectMemberships { nodes { id } }' }
+
+        it_behaves_like 'a working graphql query'
+
+        it 'cannot be found' do
+          expect(project_memberships).to be_empty
+        end
+
+        context 'the current user is the user' do
+          let(:current_user) { user }
+
+          it 'can be found' do
+            expect(project_memberships).to include(
+              a_hash_including('id' => global_id_of(membership_a))
+            )
+          end
+        end
+      end
+
       context 'we request the authoredMergeRequests' do
         let(:user_fields) { 'authoredMergeRequests { nodes { id } }' }
 
-- 
cgit v1.2.3


From 4e3a54f835daa49bf784d6e6ad91e90116a24dc8 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 4 Dec 2020 16:53:44 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

---
 .../graphql/user/starred_projects_query_spec.rb    | 27 +++++++++++++
 spec/requests/api/projects_spec.rb                 | 45 +++++++++++++++++++---
 2 files changed, 66 insertions(+), 6 deletions(-)

(limited to 'spec/requests')

diff --git a/spec/requests/api/graphql/user/starred_projects_query_spec.rb b/spec/requests/api/graphql/user/starred_projects_query_spec.rb
index 8a1bd3d172f..b098058a735 100644
--- a/spec/requests/api/graphql/user/starred_projects_query_spec.rb
+++ b/spec/requests/api/graphql/user/starred_projects_query_spec.rb
@@ -70,4 +70,31 @@ RSpec.describe 'Getting starredProjects of the user' do
       )
     end
   end
+
+  context 'the user has a private profile' do
+    before do
+      user.update!(private_profile: true)
+      post_graphql(query, current_user: current_user)
+    end
+
+    context 'the current user does not have access to view the private profile of the user' do
+      let(:current_user) { create(:user) }
+
+      it 'finds no projects' do
+        expect(starred_projects).to be_empty
+      end
+    end
+
+    context 'the current user has access to view the private profile of the user' do
+      let(:current_user) { create(:admin) }
+
+      it 'finds all projects starred by the user, which the current user has access to' do
+        expect(starred_projects).to contain_exactly(
+          a_hash_including('id' => global_id_of(project_a)),
+          a_hash_including('id' => global_id_of(project_b)),
+          a_hash_including('id' => global_id_of(project_c))
+        )
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 4a792fc218d..234ac1778fd 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1255,13 +1255,46 @@ RSpec.describe API::Projects do
       expect(json_response['message']).to eq('404 User Not Found')
     end
 
-    it 'returns projects filtered by user' do
-      get api("/users/#{user3.id}/starred_projects/", user)
+    context 'with a public profile' do
+      it 'returns projects filtered by user' do
+        get api("/users/#{user3.id}/starred_projects/", user)
 
-      expect(response).to have_gitlab_http_status(:ok)
-      expect(response).to include_pagination_headers
-      expect(json_response).to be_an Array
-      expect(json_response.map { |project| project['id'] }).to contain_exactly(project.id, project2.id, project3.id)
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.map { |project| project['id'] })
+          .to contain_exactly(project.id, project2.id, project3.id)
+      end
+    end
+
+    context 'with a private profile' do
+      before do
+        user3.update!(private_profile: true)
+        user3.reload
+      end
+
+      context 'user does not have access to view the private profile' do
+        it 'returns no projects' do
+          get api("/users/#{user3.id}/starred_projects/", user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to be_an Array
+          expect(json_response).to be_empty
+        end
+      end
+
+      context 'user has access to view the private profile' do
+        it 'returns projects filtered by user' do
+          get api("/users/#{user3.id}/starred_projects/", admin)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to be_an Array
+          expect(json_response.map { |project| project['id'] })
+            .to contain_exactly(project.id, project2.id, project3.id)
+        end
+      end
     end
   end
 
-- 
cgit v1.2.3