Skip to content

G
gitlab-ce
Commit c1cc4777 authored by Rubén Dávila's avatar Rubén Dávila
Browse files
Options

Hide events from internal projects in public feed for anonymous users 

This change fixes a bug where an anonymous user was able to see the
activity related to internal projects when visiting the public profile
of a user of the GitLab instance.
parent 75797ac3
Hide whitespace changes
Inline Side-by-side
Showing with 38 additions and 14 deletions
app/finders/user_recent_events_finder.rb
View file @ c1cc4777
...@@ -56,7 +56,7 @@ class UserRecentEventsFinder ...@@ -56,7 +56,7 @@ class UserRecentEventsFinder
visible = target_user visible = target_user
.project_interactions .project_interactions
.where(visibility_level: [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]) .where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user))
.select(:id) .select(:id)
Gitlab::SQL::Union.new([authorized, visible]).to_sql Gitlab::SQL::Union.new([authorized, visible]).to_sql
......
changelogs/unreleased/security-rd-do-not-show-internal-info-in-public-feed.yml 0 → 100644
View file @ c1cc4777
---
title: Don't show events from internal projects for anonymous users in public feed
merge_request:
author:
type: security
spec/finders/user_recent_events_finder_spec.rb
View file @ c1cc4777
require 'spec_helper' require 'spec_helper'
describe UserRecentEventsFinder do describe UserRecentEventsFinder do
let(:user) { create(:user) } let(:current_user) { create(:user) }
let(:project) { create(:project) } let(:project_owner) { create(:user) }
let(:project_owner) { project.creator } let(:private_project) { create(:project, :private, creator: project_owner) }
let!(:event) { create(:event, project: project, author: project_owner) } let(:internal_project) { create(:project, :internal, creator: project_owner) }
let(:public_project) { create(:project, :public, creator: project_owner) }
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
subject(:finder) { described_class.new(user, project_owner) } subject(:finder) { described_class.new(current_user, project_owner) }
describe '#execute' do describe '#execute' do
it 'does not include the event when a user does not have access to the project' do context 'current user does not have access to projects' do
expect(finder.execute).to be_empty it 'returns public and internal events' do
records = finder.execute
expect(records).to include(public_event, internal_event)
expect(records).not_to include(private_event)
end
end end
context 'when the user has access to a project' do context 'when current user has access to the projects' do
before do before do
project.add_developer(user) private_project.add_developer(current_user)
internal_project.add_developer(current_user)
public_project.add_developer(current_user)
end end
it 'includes the event' do it 'returns all the events' do
expect(finder.execute).to include(event) expect(finder.execute).to include(private_event, internal_event, public_event)
end end
it 'does not include the event if the user cannot read cross project' do it 'does not include the events if the user cannot read cross project' do
expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false } expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
expect(finder.execute).to be_empty expect(finder.execute).to be_empty
end end
end end
context 'when current user is anonymous' do
let(:current_user) { nil }
it 'returns public events only' do
expect(finder.execute).to eq([public_event])
end
end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7