Redact events shown in the events API

45ced6c5 · Nick Thomas · 8c219294 · 45ced6c5 · 45ced6c5 · 45ced6c5
Commit 45ced6c5 authored Sep 21, 2018 by Nick Thomas
4 changed files
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -12,6 +12,7 @@ class EventsFinder
  # Arguments:
  #   source - which user or project to looks for events on
  #   current_user - only return events for projects visible to this user
+  #                  WARNING: does not consider project feature visibility!
  #   params:
  #     action: string
  #     target_type: string

--- a/app/finders/user_recent_events_finder.rb
+++ b/app/finders/user_recent_events_finder.rb
@@ -3,6 +3,7 @@
 # Get user activity feed for projects common for a user and a logged in user
 #
 # - current_user: The user viewing the events
+#                 WARNING: does not consider project feature visibility!
 # - user: The user for which to load the events
 # - params:
 #   - offset: The page of events to return

--- a/lib/api/events.rb
+++ b/lib/api/events.rb
@@ -16,12 +16,27 @@ module API
                        desc: 'Return events sorted in ascending and descending order'
      end

+      RedactedEvent = OpenStruct.new(target_title: 'Confidential event').freeze
+
+      def redact_events(events)
+        events.map do |event|
+          if event.visible_to_user?(current_user)
+            event
+          else
+            RedactedEvent
+          end
+        end
+      end
+
      # rubocop: disable CodeReuse/ActiveRecord
-      def present_events(events)
+      def present_events(events, redact: true)
        events = events.reorder(created_at: params[:sort])
                 .with_associations

-        present paginate(events), with: Entities::Event
+        events = paginate(events)
+        events = redact_events(events) if redact
+
+        present events, with: Entities::Event
      end
      # rubocop: enable CodeReuse/ActiveRecord
    end
@@ -44,7 +59,8 @@ module API

        events = EventsFinder.new(params.merge(source: current_user, current_user: current_user)).execute.preload(:author, :target)

-        present_events(events)
+        # Since we're viewing our own events, redaction is unnecessary
+        present_events(events, redact: false)
      end
      # rubocop: enable CodeReuse/ActiveRecord
    end

--- a/spec/requests/api/redacted_events_spec.rb
+++ b/spec/requests/api/redacted_events_spec.rb
+require 'spec_helper'
+
+describe 'Redacted events in API::Events' do
+  shared_examples 'private events are redacted' do
+    it 'redacts events the user does not have access to' do
+      expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original
+
+      get api(path), user
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to contain_exactly(
+        'project_id' => nil,
+        'action_name' => nil,
+        'target_id' => nil,
+        'target_iid' => nil,
+        'target_type' => nil,
+        'author_id' => nil,
+        'target_title' => 'Confidential event',
+        'created_at' => nil,
+        'author_username' => nil
+      )
+    end
+  end
+
+  describe '/users/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/users/#{project.owner.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views another user with private events' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views another user with private events' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+
+  describe '/projects/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/projects/#{project.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views public project' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views public project' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+end