Commit 03ae2cdb authored by Stan Hu's avatar Stan Hu Committed by Rémy Coutable

Filter confidential issues from milestones API if user does not have access

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
parent 793a7664
...@@ -8,6 +8,8 @@ v 8.7.1 (unreleased) ...@@ -8,6 +8,8 @@ v 8.7.1 (unreleased)
- Fix license detection to detect all license files, not only known licenses. !3878 - Fix license detection to detect all license files, not only known licenses. !3878
- Use the `can?` helper instead of `current_user.can?`. !3882 - Use the `can?` helper instead of `current_user.can?`. !3882
- Prevent users from deleting Webhooks via API they do not own - Prevent users from deleting Webhooks via API they do not own
- Use the `can?` helper instead of `current_user.can?`
- Filter confidential issues from milestones API if user does not have access
v 8.7.0 v 8.7.0
- Gitlab::GitAccess and Gitlab::GitAccessWiki are now instrumented - Gitlab::GitAccess and Gitlab::GitAccessWiki are now instrumented
......
...@@ -105,7 +105,15 @@ module API ...@@ -105,7 +105,15 @@ module API
authorize! :read_milestone, user_project authorize! :read_milestone, user_project
@milestone = user_project.milestones.find(params[:milestone_id]) @milestone = user_project.milestones.find(params[:milestone_id])
present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user
finder_params = {
project_id: user_project.id,
milestone_title: @milestone.title,
state: 'all'
}
issues = IssuesFinder.new(current_user, finder_params).execute
present paginate(issues), with: Entities::Issue, current_user: current_user
end end
end end
......
...@@ -127,7 +127,7 @@ describe API::API, api: true do ...@@ -127,7 +127,7 @@ describe API::API, api: true do
describe 'GET /projects/:id/milestones/:milestone_id/issues' do describe 'GET /projects/:id/milestones/:milestone_id/issues' do
before do before do
milestone.issues << create(:issue) milestone.issues << create(:issue, project: project)
end end
it 'should return project issues for a particular milestone' do it 'should return project issues for a particular milestone' do
get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user) get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user)
...@@ -141,4 +141,42 @@ describe API::API, api: true do ...@@ -141,4 +141,42 @@ describe API::API, api: true do
expect(response.status).to eq(401) expect(response.status).to eq(401)
end end
end end
describe 'confidential issues' do
it 'should return confidential issues to team members' do
public_project = create(:project, :public)
user = create(:user)
milestone = create(:milestone, project: public_project)
issue = create(:issue, project: public_project)
confidential_issue = create(:issue, confidential: true, project: public_project)
public_project.team << [user, :developer]
milestone.issues << issue
milestone.issues << confidential_issue
get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user)
expect(response.status).to eq(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(2)
expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id)
end
it 'should not return confidential issues to regular users' do
public_project = create(:project, :public)
normal_user = create(:user)
milestone = create(:milestone, project: public_project)
issue = create(:issue, project: public_project)
confidential_issue = create(:issue, confidential: true, project: public_project)
public_project.team << [user, :developer]
milestone.issues << issue
milestone.issues << confidential_issue
get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", normal_user)
expect(response.status).to eq(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
expect(json_response.map { |issue| issue['id'] }).to include(issue.id)
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment