Commit 4b2d49b7 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-hide_moved_issue_id' into 'master'

Do not show moved issue ids for user not authorized

Closes #2878

See merge request gitlab/gitlabhq!3230
parents cfc327b0 43830eca
...@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity ...@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity
expose :discussion_locked expose :discussion_locked
expose :assignees, using: API::Entities::UserBasic expose :assignees, using: API::Entities::UserBasic
expose :due_date expose :due_date
expose :moved_to_id
expose :project_id expose :project_id
expose :moved_to_id do |issue|
if issue.moved_to_id.present? && can?(request.current_user, :read_issue, issue.moved_to)
issue.moved_to_id
end
end
expose :web_url do |issue| expose :web_url do |issue|
project_issue_path(issue.project, issue) project_issue_path(issue.project, issue)
end end
......
---
title: Do not show moved issue id for users that cannot read issue
merge_request:
author:
type: security
...@@ -17,4 +17,37 @@ describe IssueEntity do ...@@ -17,4 +17,37 @@ describe IssueEntity do
it 'has time estimation attributes' do it 'has time estimation attributes' do
expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent) expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent)
end end
context 'when issue got moved' do
let(:public_project) { create(:project, :public) }
let(:member) { create(:user) }
let(:non_member) { create(:user) }
let(:issue) { create(:issue, project: public_project) }
before do
project.add_developer(member)
public_project.add_developer(member)
Issues::MoveService.new(public_project, member).execute(issue, project)
end
context 'when user cannot read target project' do
it 'does not return moved_to_id' do
request = double('request', current_user: non_member)
response = described_class.new(issue, request: request).as_json
expect(response[:moved_to_id]).to be_nil
end
end
context 'when user can read target project' do
it 'returns moved moved_to_id' do
request = double('request', current_user: member)
response = described_class.new(issue, request: request).as_json
expect(response[:moved_to_id]).to eq(issue.moved_to_id)
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment