Commit c1cc4777 authored by Rubén Dávila's avatar Rubén Dávila

Hide events from internal projects in public feed for anonymous users

This change fixes a bug where an anonymous user was able to see the
activity related to internal projects when visiting the public profile
of a user of the GitLab instance.
parent 75797ac3
...@@ -56,7 +56,7 @@ class UserRecentEventsFinder ...@@ -56,7 +56,7 @@ class UserRecentEventsFinder
visible = target_user visible = target_user
.project_interactions .project_interactions
.where(visibility_level: [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]) .where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user))
.select(:id) .select(:id)
Gitlab::SQL::Union.new([authorized, visible]).to_sql Gitlab::SQL::Union.new([authorized, visible]).to_sql
......
---
title: Don't show events from internal projects for anonymous users in public feed
merge_request:
author:
type: security
require 'spec_helper' require 'spec_helper'
describe UserRecentEventsFinder do describe UserRecentEventsFinder do
let(:user) { create(:user) } let(:current_user) { create(:user) }
let(:project) { create(:project) } let(:project_owner) { create(:user) }
let(:project_owner) { project.creator } let(:private_project) { create(:project, :private, creator: project_owner) }
let!(:event) { create(:event, project: project, author: project_owner) } let(:internal_project) { create(:project, :internal, creator: project_owner) }
let(:public_project) { create(:project, :public, creator: project_owner) }
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
subject(:finder) { described_class.new(user, project_owner) } subject(:finder) { described_class.new(current_user, project_owner) }
describe '#execute' do describe '#execute' do
it 'does not include the event when a user does not have access to the project' do context 'current user does not have access to projects' do
expect(finder.execute).to be_empty it 'returns public and internal events' do
records = finder.execute
expect(records).to include(public_event, internal_event)
expect(records).not_to include(private_event)
end
end end
context 'when the user has access to a project' do context 'when current user has access to the projects' do
before do before do
project.add_developer(user) private_project.add_developer(current_user)
internal_project.add_developer(current_user)
public_project.add_developer(current_user)
end end
it 'includes the event' do it 'returns all the events' do
expect(finder.execute).to include(event) expect(finder.execute).to include(private_event, internal_event, public_event)
end end
it 'does not include the event if the user cannot read cross project' do it 'does not include the events if the user cannot read cross project' do
expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false } expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
expect(finder.execute).to be_empty expect(finder.execute).to be_empty
end end
end end
context 'when current user is anonymous' do
let(:current_user) { nil }
it 'returns public events only' do
expect(finder.execute).to eq([public_event])
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment