Commit 70fd0177 authored by Douwe Maan's avatar Douwe Maan Committed by Robert Speicher

Merge branch '18033-private-repo-mentions' into 'master'

Ensure logged-out users can't see private refs

https://gitlab.com/gitlab-org/gitlab-ce/issues/18033

I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10.

See merge request !1974
(cherry picked from commit 3a6ebb1f)
parent ad421b3a
......@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.9.4
- Fix privilege escalation issue with OAuth external users.
- Ensure references to private repos aren't shown to logged-out users.
v 8.9.3
- Fix encrypted data backwards compatibility after upgrading attr_encrypted gem. !4963
......
......@@ -45,7 +45,7 @@ module Mentionable
def all_references(current_user = nil, text = nil, extractor: nil)
extractor ||= Gitlab::ReferenceExtractor.
new(project, current_user || author)
new(project, current_user)
if text
extractor.analyze(text, author: author)
......
......@@ -237,7 +237,7 @@ class TodoService
end
def filter_mentioned_users(project, target, author)
mentioned_users = target.mentioned_users
mentioned_users = target.mentioned_users(author)
mentioned_users = reject_users_without_access(mentioned_users, project, target)
mentioned_users.delete(author)
mentioned_users.uniq
......
......@@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
it { is_expected.not_to include(user2) }
end
describe '#referenced_mentionables' do
context 'with an issue on a private project' do
let(:project) { create(:empty_project, :public) }
let(:issue) { create(:issue, project: project) }
let(:public_issue) { create(:issue, project: project) }
let(:private_project) { create(:empty_project, :private) }
let(:private_issue) { create(:issue, project: private_project) }
let(:user) { create(:user) }
def referenced_issues(current_user)
text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}"
issue.referenced_mentionables(current_user, text)
end
context 'when the current user can see the issue' do
before { private_project.team << [user, Gitlab::Access::DEVELOPER] }
it 'includes the reference' do
expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue)
end
end
context 'when the current user cannot see the issue' do
it 'does not include the reference' do
expect(referenced_issues(user)).to contain_exactly(public_issue)
end
end
context 'when there is no current user' do
it 'does not include the reference' do
expect(referenced_issues(nil)).to contain_exactly(public_issue)
end
end
end
end
describe '#create_cross_references!' do
let(:project) { create(:project) }
let(:author) { double('author') }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment