Commit 4cf1fbe2 authored by James Fargher's avatar James Fargher

Merge branch '9424-filter-not-visible-issues-from-vulnerability-issue-links-api' into 'master'

Present only issues visible to user in Vulnerabilitiy Issue Links API

See merge request gitlab-org/gitlab!36987
parents 16ee1d98 73ee63b0
---
title: Present only issues visible to user in Vulnerabilitiy Issue Links API
merge_request: 36987
author:
type: fixed
...@@ -33,10 +33,8 @@ module API ...@@ -33,10 +33,8 @@ module API
end end
get ':id/issue_links' do get ':id/issue_links' do
vulnerability = find_and_authorize_vulnerability!(:read_vulnerability) vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
present vulnerability related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
.related_issues present Ability.issues_readable_by_user(related_issues, current_user),
.with_api_entity_associations
.with_vulnerability_links,
with: EE::API::Entities::VulnerabilityRelatedIssue with: EE::API::Entities::VulnerabilityRelatedIssue
end end
......
...@@ -78,7 +78,7 @@ FactoryBot.define do ...@@ -78,7 +78,7 @@ FactoryBot.define do
trait :with_issue_links do trait :with_issue_links do
after(:create) do |vulnerability| after(:create) do |vulnerability|
create_list(:issue, 2).each do |issue| create_list(:issue, 2, project: vulnerability.project).each do |issue|
create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue) create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
end end
end end
......
...@@ -24,15 +24,51 @@ RSpec.describe API::VulnerabilityIssueLinks do ...@@ -24,15 +24,51 @@ RSpec.describe API::VulnerabilityIssueLinks do
project.add_developer(user) project.add_developer(user)
end end
it 'gets the list of vulnerabilities' do shared_examples "responds with list of only visible issue links" do
get_issue_links it 'gets the list of visible issue links', :aggregate_failures do
get_issue_links
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee') expect(response).to have_gitlab_http_status(:ok)
expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id)) expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
expect(json_response.map { |link| link['vulnerability_link_id'] }).to( expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
match_array(vulnerability.issue_links.map(&:id))) expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related' match_array(vulnerability.issue_links.map(&:id)))
expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
end
end
context 'when linked issue is not confidential and available for the user' do
include_examples 'responds with list of only visible issue links'
end
context 'when there is an additional confidential issue linked' do
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:confidential_issue) { create(:issue, :confidential, project: public_project) }
let_it_be(:confidential_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: confidential_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return confidential issue in the response' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(confidential_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(confidential_issue_link.id)
end
end
context 'when link is created to issue in the inaccessible project' do
let_it_be(:private_project) { create(:project, :private) }
let_it_be(:private_issue) { create(:issue, :confidential, project: private_project) }
let_it_be(:private_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: private_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return issue from inaccessible project' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(private_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(private_issue_link.id)
end
end end
it_behaves_like 'responds with "not found" for an unknown vulnerability ID' it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
...@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do ...@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do
end end
end end
context 'with valid target_project_id and target_issue_iid params' do context 'when issue is from different project' do
let_it_be(:other_issue) { create(:issue) } let_it_be(:other_issue) { create(:issue) }
let(:target_project_id) { other_issue.project_id } let(:target_project_id) { other_issue.project_id }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment