Hide features a user shouldn't be able to see in a list of forks

Changelog: security

Hide features a user shouldn't be able to see in a list of forks
Changelog: security
0ff446c5 · Gary Holtz · Andrew Fontaine · 1bfeb700 · 0ff446c5 · 0ff446c5
Commit 0ff446c5 authored Mar 15, 2022 by Gary Holtz Committed by Andrew Fontaine Mar 28, 2022
4 changed files
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -420,6 +420,18 @@ module ProjectsHelper
    project.path_with_namespace
  end

+  def able_to_see_issues?(project, user)
+    project.issues_enabled? && can?(user, :read_issue, project)
+  end
+
+  def able_to_see_merge_requests?(project, user)
+    project.merge_requests_enabled? && can?(user, :read_merge_request, project)
+  end
+
+  def able_to_see_last_commit?(show_last_commit_as_description, project, user)
+    show_last_commit_as_description && can?(user, :read_commit_status, project)
+  end
+
  def fork_button_disabled_tooltip(project)
    return unless current_user


--- a/app/views/shared/projects/_list.html.haml
+++ b/app/views/shared/projects/_list.html.haml
@@ -37,8 +37,8 @@
        - css_class = (i >= projects_limit) || project.pending_delete? ? 'hide' : nil
        = render "shared/projects/project", project: project, skip_namespace: skip_namespace,
          avatar: avatar, stars: stars, css_class: css_class, use_creator_avatar: use_creator_avatar,
-          forks: project.forking_enabled?, show_last_commit_as_description: show_last_commit_as_description, user: user,
-          merge_requests: project.merge_requests_enabled?, issues: project.issues_enabled?,
+          forks: project.forking_enabled?, show_last_commit_as_description: able_to_see_last_commit?(show_last_commit_as_description, project, user),
+          user: user, merge_requests: able_to_see_merge_requests?(project, user), issues: able_to_see_issues?(project, user),
          pipeline_status: pipeline_status, compact_mode: compact_mode
    = paginate_collection(projects, remote: remote) unless skip_pagination
  - else

--- a/spec/features/projects/forks/fork_list_spec.rb
+++ b/spec/features/projects/forks/fork_list_spec.rb
@@ -24,6 +24,28 @@ RSpec.describe 'listing forks of a project' do
    end
  end

+  context "when a fork is set to allow only project members to access features" do
+    let(:outside_user) { create(:user) }
+
+    before do
+      sign_in(outside_user)
+
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_last_commit?).and_return(false)
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_merge_requests?).and_return(false)
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_issues?).and_return(false)
+    end
+
+    it 'will not show that information in the original forks list' do
+      visit project_forks_path(source)
+
+      page.within('li.project-row') do
+        expect(page).not_to have_css('a.commit-row-message')
+        expect(page).not_to have_css('a.issues')
+        expect(page).not_to have_css('a.merge-requests')
+      end
+    end
+  end
+
  it 'does not show the commit message when an external authorization service is used' do
    enable_external_authorization_service_check


--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -1000,6 +1000,75 @@ RSpec.describe ProjectsHelper do
    end
  end

+  context 'fork security helpers' do
+    using RSpec::Parameterized::TableSyntax
+
+    describe "#able_to_see_merge_requests?" do
+      subject { helper.able_to_see_merge_requests?(project, user) }
+
+      where(:can_read_merge_request, :merge_requests_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(project).to receive(:merge_requests_enabled?).and_return(merge_requests_enabled)
+          allow(helper).to receive(:can?).with(user, :read_merge_request, project).and_return(can_read_merge_request)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+
+    describe "#able_to_see_issues?" do
+      subject { helper.able_to_see_issues?(project, user) }
+
+      where(:can_read_issues, :issues_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(project).to receive(:issues_enabled?).and_return(issues_enabled)
+          allow(helper).to receive(:can?).with(user, :read_issue, project).and_return(can_read_issues)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+
+    describe "#able_to_see_last_commit?" do
+      subject { helper.able_to_see_last_commit?(show_last_commit_as_description, project, user) }
+
+      where(:can_read_last_commit, :show_last_commit_as_description, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(helper).to receive(:can?).with(user, :read_commit_status, project).and_return(can_read_last_commit)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+  end
+
  describe '#fork_button_disabled_tooltip' do
    using RSpec::Parameterized::TableSyntax