Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-ce
Commits
a803cd51
Commit
a803cd51
authored
Apr 14, 2015
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Check for project read permissions in cross-references
parent
470b0c25
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
49 additions
and
12 deletions
+49
-12
lib/gitlab/markdown/cross_project_reference.rb
lib/gitlab/markdown/cross_project_reference.rb
+13
-3
spec/lib/gitlab/markdown/cross_project_reference_spec.rb
spec/lib/gitlab/markdown/cross_project_reference_spec.rb
+36
-9
No files found.
lib/gitlab/markdown/cross_project_reference.rb
View file @
a803cd51
...
...
@@ -8,18 +8,28 @@ module Gitlab
# Given a cross-project reference string, get the Project record
#
# If no valid reference is given, returns the `:project` value for the
# current context.
# Defaults to value of `context[:project]` if:
# - No reference is given
# - Reference given doesn't exist
# - Reference given can't be read by the current user
#
# ref - String reference.
#
# Returns a Project
def
project_from_ref
(
ref
)
if
ref
&&
other
=
Project
.
find_with_namespace
(
ref
)
if
user_can_reference_project?
(
other
)
other
else
context
[
:project
]
end
else
context
[
:project
]
end
end
def
user_can_reference_project?
(
project
,
user
=
context
[
:current_user
])
user
&&
Ability
.
abilities
.
allowed?
(
user
,
:read_project
,
project
)
end
end
end
...
...
spec/lib/gitlab/markdown/cross_project_reference_spec.rb
View file @
a803cd51
...
...
@@ -2,21 +2,48 @@ require 'spec_helper'
module
Gitlab::Markdown
describe
CrossProjectReference
do
include
CrossProjectReference
# context in the html-pipeline sense, not in the rspec sense
let
(
:context
)
do
{
current_user:
double
(
'user'
),
project:
double
(
'project'
)
}
end
include
described_class
describe
'#project_from_ref'
do
let
(
:project
)
{
double
(
'project'
)
}
context
'when referenced project does not exist'
do
it
'returns the project from context'
do
expect
(
project_from_ref
(
'invalid/reference'
)).
to
eq
context
[
:project
]
end
end
context
'when referenced project exists'
do
let
(
:project2
)
{
double
(
'referenced project'
)
}
it
'returns a project from a valid reference'
do
expect
(
Project
).
to
receive
(
:find_with_namespace
).
with
(
'cross-reference/foo'
).
and_return
(
project
)
before
do
expect
(
Project
).
to
receive
(
:find_with_namespace
).
with
(
'cross/reference'
).
and_return
(
project2
)
end
context
'and the user has permission to read it'
do
it
'returns the referenced project'
do
expect
(
self
).
to
receive
(
:user_can_reference_project?
).
with
(
project2
).
and_return
(
true
)
expect
(
project_from_ref
(
'cross-reference/foo'
)).
to
eq
project
expect
(
project_from_ref
(
'cross/reference'
)).
to
eq
project2
end
end
it
'returns the project from context when reference is invalid'
do
expect
(
self
).
to
receive
(
:context
).
and_return
({
project:
project
})
context
'and the user does not have permission to read it'
do
it
'returns the project from context'
do
expect
(
self
).
to
receive
(
:user_can_reference_project?
).
with
(
project2
).
and_return
(
false
)
expect
(
project_from_ref
(
'invalid/reference'
)).
to
eq
project
expect
(
project_from_ref
(
'cross/reference'
)).
to
eq
context
[
:project
]
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment