Commit 2636222d authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-confidential-issue-label-visibility-master' into 'master'

Fix confidential issue label disclosure on milestone view

See merge request gitlab/gitlab-ee!924
parents c9c75173 559b6d9b
...@@ -26,16 +26,22 @@ module MilestoneActions ...@@ -26,16 +26,22 @@ module MilestoneActions
end end
end end
# rubocop:disable Gitlab/ModuleWithInstanceVariables
def labels def labels
respond_to do |format| respond_to do |format|
format.html { redirect_to milestone_redirect_path } format.html { redirect_to milestone_redirect_path }
format.json do format.json do
milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
render json: tabs_json("shared/milestones/_labels_tab", { render json: tabs_json("shared/milestones/_labels_tab", {
labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables labels: milestone_labels.map do |label|
label.present(issuable_subject: @milestone.parent)
end
}) })
end end
end end
end end
# rubocop:enable Gitlab/ModuleWithInstanceVariables
private private
......
---
title: Fix confidential issue label disclosure on milestone view
merge_request:
author:
type: security
...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do ...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
end end
end end
describe '#labels' do
render_views
context 'as json' do
let!(:guest) { create(:user, username: 'guest1') }
let!(:group) { create(:group, :public) }
let!(:project) { create(:project, :public, group: group) }
let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
it 'does not render labels of private issues if user has no access' do
sign_in(guest)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).not_to include(label.title)
end
it 'does render labels of private issues if user has access' do
sign_in(user)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).to include(label.title)
end
end
end
context 'promotion succeeds' do context 'promotion succeeds' do
before do before do
group.add_developer(user) group.add_developer(user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment