Merge branch '293737-hide-unauthorized-information-from-forks-index' into 'master'

Selectively hide fork information a user shouldn't be able to see See merge request gitlab-org/gitlab!82639

Merge branch '293737-hide-unauthorized-information-from-forks-index' into 'master'
Selectively hide fork information a user shouldn't be able to see See merge request gitlab-org/gitlab!82639
348a177d · Andrew Fontaine · 70da3b05 · ded80cc2 · 348a177d · 348a177d
Commit 348a177d authored Mar 28, 2022 by Andrew Fontaine
4 changed files
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -420,6 +420,14 @@ module ProjectsHelper
    project.path_with_namespace
  end
+  def able_to_see_issues?(project, user)
+    project.issues_enabled? && can?(user, :read_issue, project)
+  end
+  def able_to_see_merge_requests?(project, user)
+    project.merge_requests_enabled? && can?(user, :read_merge_request, project)
+  end
  def fork_button_disabled_tooltip(project)
    return unless current_user
@@ -627,7 +635,9 @@ module ProjectsHelper
  end
  def can_show_last_commit_in_list?(project)
-    can?(current_user, :read_cross_project) && project.commit
+    can?(current_user, :read_cross_project) &&
+      can?(current_user, :read_commit_status, project) &&
+      project.commit
  end
  def pages_https_only_disabled?

--- a/app/views/shared/projects/_list.html.haml
+++ b/app/views/shared/projects/_list.html.haml
@@ -37,8 +37,8 @@
        - css_class = (i >= projects_limit) || project.pending_delete? ? 'hide' : nil
        = render "shared/projects/project", project: project, skip_namespace: skip_namespace,
          avatar: avatar, stars: stars, css_class: css_class, use_creator_avatar: use_creator_avatar,
-          forks: project.forking_enabled?, show_last_commit_as_description: show_last_commit_as_description, user: user,
+          forks: project.forking_enabled?, show_last_commit_as_description: show_last_commit_as_description,
-          merge_requests: project.merge_requests_enabled?, issues: project.issues_enabled?,
+          user: user, merge_requests: able_to_see_merge_requests?(project, user), issues: able_to_see_issues?(project, user),
          pipeline_status: pipeline_status, compact_mode: compact_mode
    = paginate_collection(projects, remote: remote) unless skip_pagination
  - else

--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -1000,6 +1000,54 @@ RSpec.describe ProjectsHelper do
    end
  end
+  context 'fork security helpers' do
+    using RSpec::Parameterized::TableSyntax
+    describe "#able_to_see_merge_requests?" do
+      subject { helper.able_to_see_merge_requests?(project, user) }
+      where(:can_read_merge_request, :merge_requests_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+      with_them do
+        before do
+          allow(project).to receive(:merge_requests_enabled?).and_return(merge_requests_enabled)
+          allow(helper).to receive(:can?).with(user, :read_merge_request, project).and_return(can_read_merge_request)
+        end
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+    describe "#able_to_see_issues?" do
+      subject { helper.able_to_see_issues?(project, user) }
+      where(:can_read_issues, :issues_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+      with_them do
+        before do
+          allow(project).to receive(:issues_enabled?).and_return(issues_enabled)
+          allow(helper).to receive(:can?).with(user, :read_issue, project).and_return(can_read_issues)
+        end
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+  end
  describe '#fork_button_disabled_tooltip' do
    using RSpec::Parameterized::TableSyntax

--- a/spec/views/shared/projects/_list.html.haml_spec.rb
+++ b/spec/views/shared/projects/_list.html.haml_spec.rb
@@ -20,6 +20,18 @@ RSpec.describe 'shared/projects/_list' do
        expect(rendered).to have_content(project.name)
      end
    end
+    it "will not show elements a user shouldn't be able to see" do
+      allow(view).to receive(:can_show_last_commit_in_list?).and_return(false)
+      allow(view).to receive(:able_to_see_merge_requests?).and_return(false)
+      allow(view).to receive(:able_to_see_issues?).and_return(false)
+      render
+      expect(rendered).not_to have_css('a.commit-row-message')
+      expect(rendered).not_to have_css('a.issues')
+      expect(rendered).not_to have_css('a.merge-requests')
+    end
  end
  context 'without projects' do