From 3bf34face4cacf07ca973705c261369b1f596626 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Tue, 22 Nov 2016 10:25:04 +0000
Subject: Merge branch 'jej-use-issuable-finder-instead-of-access-check' into
 'security'

Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested

### Issue lookup with access check

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]

### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
---
 spec/lib/gitlab/project_search_results_spec.rb     |  9 ++++
 spec/lib/gitlab/search_results_spec.rb             | 51 ++++++++++++++--------
 spec/models/project_spec.rb                        | 16 +++++--
 spec/requests/api/issues_spec.rb                   | 18 ++++++++
 spec/services/merge_requests/build_service_spec.rb | 12 +++++
 5 files changed, 84 insertions(+), 22 deletions(-)

(limited to 'spec')

diff --git a/spec/lib/gitlab/project_search_results_spec.rb b/spec/lib/gitlab/project_search_results_spec.rb
index a0fdad87eee..3cd9863ec6a 100644
--- a/spec/lib/gitlab/project_search_results_spec.rb
+++ b/spec/lib/gitlab/project_search_results_spec.rb
@@ -65,6 +65,14 @@ describe Gitlab::ProjectSearchResults, lib: true do
     end
   end
 
+  it 'does not list issues on private projects' do
+    issue = create(:issue, project: project)
+
+    results = described_class.new(user, project, issue.title)
+
+    expect(results.objects('issues')).not_to include issue
+  end
+
   describe 'confidential issues' do
     let(:query) { 'issue' }
     let(:author) { create(:user) }
@@ -72,6 +80,7 @@ describe Gitlab::ProjectSearchResults, lib: true do
     let(:non_member) { create(:user) }
     let(:member) { create(:user) }
     let(:admin) { create(:admin) }
+    let(:project) { create(:empty_project, :internal) }
     let!(:issue) { create(:issue, project: project, title: 'Issue 1') }
     let!(:security_issue_1) { create(:issue, :confidential, project: project, title: 'Security issue 1', author: author) }
     let!(:security_issue_2) { create(:issue, :confidential, title: 'Security issue 2', project: project, assignee: assignee) }
diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb
index dfbefad6367..f23e3522625 100644
--- a/spec/lib/gitlab/search_results_spec.rb
+++ b/spec/lib/gitlab/search_results_spec.rb
@@ -12,35 +12,48 @@ describe Gitlab::SearchResults do
   let!(:milestone) { create(:milestone, project: project, title: 'foo') }
   let(:results) { described_class.new(user, Project.all, 'foo') }
 
-  describe '#projects_count' do
-    it 'returns the total amount of projects' do
-      expect(results.projects_count).to eq(1)
+  context 'as a user with access' do
+    before do
+      project.team << [user, :developer]
     end
-  end
 
-  describe '#issues_count' do
-    it 'returns the total amount of issues' do
-      expect(results.issues_count).to eq(1)
+    describe '#projects_count' do
+      it 'returns the total amount of projects' do
+        expect(results.projects_count).to eq(1)
+      end
     end
-  end
 
-  describe '#merge_requests_count' do
-    it 'returns the total amount of merge requests' do
-      expect(results.merge_requests_count).to eq(1)
+    describe '#issues_count' do
+      it 'returns the total amount of issues' do
+        expect(results.issues_count).to eq(1)
+      end
+    end
+
+    describe '#merge_requests_count' do
+      it 'returns the total amount of merge requests' do
+        expect(results.merge_requests_count).to eq(1)
+      end
     end
-  end
 
-  describe '#milestones_count' do
-    it 'returns the total amount of milestones' do
-      expect(results.milestones_count).to eq(1)
+    describe '#milestones_count' do
+      it 'returns the total amount of milestones' do
+        expect(results.milestones_count).to eq(1)
+      end
     end
   end
 
+  it 'does not list issues on private projects' do
+    private_project = create(:empty_project, :private)
+    issue = create(:issue, project: private_project, title: 'foo')
+
+    expect(results.objects('issues')).not_to include issue
+  end
+
   describe 'confidential issues' do
-    let(:project_1) { create(:empty_project) }
-    let(:project_2) { create(:empty_project) }
-    let(:project_3) { create(:empty_project) }
-    let(:project_4) { create(:empty_project) }
+    let(:project_1) { create(:empty_project, :internal) }
+    let(:project_2) { create(:empty_project, :internal) }
+    let(:project_3) { create(:empty_project, :internal) }
+    let(:project_4) { create(:empty_project, :internal) }
     let(:query) { 'issue' }
     let(:limit_projects) { Project.where(id: [project_1.id, project_2.id, project_3.id]) }
     let(:author) { create(:user) }
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index da38254d1bc..8abcce42ce0 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -361,10 +361,15 @@ describe Project, models: true do
   describe '#get_issue' do
     let(:project) { create(:empty_project) }
     let!(:issue)  { create(:issue, project: project) }
+    let(:user)    { create(:user) }
+
+    before do
+      project.team << [user, :developer]
+    end
 
     context 'with default issues tracker' do
       it 'returns an issue' do
-        expect(project.get_issue(issue.iid)).to eq issue
+        expect(project.get_issue(issue.iid, user)).to eq issue
       end
 
       it 'returns count of open issues' do
@@ -372,7 +377,12 @@ describe Project, models: true do
       end
 
       it 'returns nil when no issue found' do
-        expect(project.get_issue(999)).to be_nil
+        expect(project.get_issue(999, user)).to be_nil
+      end
+
+      it "returns nil when user doesn't have access" do
+        user = create(:user)
+        expect(project.get_issue(issue.iid, user)).to eq nil
       end
     end
 
@@ -382,7 +392,7 @@ describe Project, models: true do
       end
 
       it 'returns an ExternalIssue' do
-        issue = project.get_issue('FOO-1234')
+        issue = project.get_issue('FOO-1234', user)
         expect(issue).to be_kind_of(ExternalIssue)
         expect(issue.iid).to eq 'FOO-1234'
         expect(issue.project).to eq project
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index b17553211d2..ae7994af981 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -365,6 +365,24 @@ describe API::API, api: true  do
     let(:base_url) { "/projects/#{project.id}" }
     let(:title) { milestone.title }
 
+    it "returns 404 on private projects for other users" do
+      private_project = create(:empty_project, :private)
+      create(:issue, project: private_project)
+
+      get api("/projects/#{private_project.id}/issues", non_member)
+
+      expect(response).to have_http_status(404)
+    end
+
+    it 'returns no issues when user has access to project but not issues' do
+      restricted_project = create(:empty_project, :public, issues_access_level: ProjectFeature::PRIVATE)
+      create(:issue, project: restricted_project)
+
+      get api("/projects/#{restricted_project.id}/issues", non_member)
+
+      expect(json_response).to eq([])
+    end
+
     it 'returns project issues without confidential issues for non project members' do
       get api("#{base_url}/issues", non_member)
       expect(response).to have_http_status(200)
diff --git a/spec/services/merge_requests/build_service_spec.rb b/spec/services/merge_requests/build_service_spec.rb
index 3f5df049ea2..dc945ca4868 100644
--- a/spec/services/merge_requests/build_service_spec.rb
+++ b/spec/services/merge_requests/build_service_spec.rb
@@ -24,6 +24,8 @@ describe MergeRequests::BuildService, services: true do
   end
 
   before do
+    project.team << [user, :guest]
+
     allow(CompareService).to receive_message_chain(:new, :execute).and_return(compare)
     allow(project).to receive(:commit).and_return(commit_1)
     allow(project).to receive(:commit).and_return(commit_2)
@@ -168,6 +170,16 @@ describe MergeRequests::BuildService, services: true do
           expect(merge_request.title).to eq("Resolve \"#{issue.title}\"")
         end
 
+        context 'when issue is not accessible to user' do
+          before do
+            project.team.truncate
+          end
+
+          it 'uses branch title as the merge request title' do
+            expect(merge_request.title).to eq("#{issue.iid} fix issue")
+          end
+        end
+
         context 'issue does not exist' do
           let(:source_branch) { "#{issue.iid.succ}-fix-issue" }
 
-- 
cgit v1.2.3