Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
29604ff2
Commit
29604ff2
authored
Apr 13, 2015
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add permission checking to UserReferenceFilter
parent
189c5347
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
26 additions
and
7 deletions
+26
-7
lib/gitlab/markdown/user_reference_filter.rb
lib/gitlab/markdown/user_reference_filter.rb
+12
-3
spec/lib/gitlab/markdown/user_reference_filter_spec.rb
spec/lib/gitlab/markdown/user_reference_filter_spec.rb
+14
-4
No files found.
lib/gitlab/markdown/user_reference_filter.rb
View file @
29604ff2
...
...
@@ -78,12 +78,16 @@ module Gitlab
%(<a href="#{url}" class="#{klass}">@#{user}</a>)
elsif
namespace
=
Namespace
.
find_by
(
path:
user
)
if
namespace
.
is_a?
(
Group
)
url
=
group_url
(
user
,
only_path:
context
[
:only_path
])
if
user_can_read_group?
(
namespace
)
url
=
group_url
(
user
,
only_path:
context
[
:only_path
])
%(<a href="#{url}" class="#{klass}">@#{user}</a>)
else
match
end
else
url
=
user_url
(
user
,
only_path:
context
[
:only_path
])
%(<a href="#{url}" class="#{klass}">@#{user}</a>)
end
%(<a href="#{url}" class="#{klass}">@#{user}</a>)
else
match
end
...
...
@@ -112,6 +116,11 @@ module Gitlab
h
.
namespace_project_url
(
project
.
namespace
,
project
,
only_path:
context
[
:only_path
])
end
def
user_can_read_group?
(
group
)
return
false
if
context
[
:current_user
].
blank?
Ability
.
abilities
.
allowed?
(
context
[
:current_user
],
:read_group
,
group
)
end
end
end
end
spec/lib/gitlab/markdown/user_reference_filter_spec.rb
View file @
29604ff2
...
...
@@ -47,11 +47,21 @@ module Gitlab::Markdown
end
end
it
'links to a Group'
do
group
=
create
(
:group
)
context
'mentioning a group'
do
let
(
:group
)
{
create
(
:group
)
}
let
(
:user
)
{
create
(
:user
)
}
doc
=
filter
(
"Hey @
#{
group
.
name
}
"
)
expect
(
doc
.
css
(
'a'
).
first
.
attr
(
'href'
)).
to
eq
urls
.
group_url
(
group
)
it
'links to a Group that the current user can read'
do
group
.
add_user
(
user
,
Gitlab
::
Access
::
DEVELOPER
)
doc
=
filter
(
"Hey @
#{
group
.
name
}
"
,
current_user:
user
)
expect
(
doc
.
css
(
'a'
).
first
.
attr
(
'href'
)).
to
eq
urls
.
group_url
(
group
)
end
it
'ignores references to a Group that the current user cannot read'
do
doc
=
filter
(
"Hey @
#{
group
.
name
}
"
,
current_user:
user
)
expect
(
doc
.
to_html
).
to
eq
"Hey @
#{
group
.
name
}
"
end
end
it
'links with adjacent text'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
