Commit 4dc442f1 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-unsubscribing-from-issue' into 'master'

Hide issue title on unsubscribe for anonymous users

See merge request gitlab/gitlabhq!3097
parents 0aa73480 1be66c4a
...@@ -100,4 +100,8 @@ module NotificationsHelper ...@@ -100,4 +100,8 @@ module NotificationsHelper
css_class: "icon notifications-icon js-notifications-icon" css_class: "icon notifications-icon js-notifications-icon"
) )
end end
def show_unsubscribe_title?(noteable)
can?(current_user, "read_#{noteable.to_ability_name}".to_sym, noteable)
end
end end
- noteable = @sent_notification.noteable - noteable = @sent_notification.noteable
- noteable_type = @sent_notification.noteable_type.titleize.downcase - noteable_type = @sent_notification.noteable_type.titleize.downcase
- noteable_text = %(#{noteable.title} (#{noteable.to_reference})) - noteable_text = show_unsubscribe_title?(noteable) ? %(#{noteable.title} (#{noteable.to_reference})) : %(#{noteable.to_reference})
- page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name - page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name
%h3.page-title %h3.page-title
......
---
title: Hide confidential issue title on unsubscribe for anonymous users
merge_request:
author:
type: security
...@@ -4,15 +4,31 @@ require 'rails_helper' ...@@ -4,15 +4,31 @@ require 'rails_helper'
describe SentNotificationsController do describe SentNotificationsController do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project) } let(:project) { create(:project, :public) }
let(:sent_notification) { create(:sent_notification, project: project, noteable: issue, recipient: user) } let(:private_project) { create(:project, :private) }
let(:sent_notification) { create(:sent_notification, project: target_project, noteable: noteable, recipient: user) }
let(:issue) do let(:issue) do
create(:issue, project: project, author: user) do |issue| create(:issue, project: target_project) do |issue|
issue.subscriptions.create(user: user, project: project, subscribed: true) issue.subscriptions.create(user: user, project: target_project, subscribed: true)
end end
end end
let(:confidential_issue) do
create(:issue, project: target_project, confidential: true) do |issue|
issue.subscriptions.create(user: user, project: target_project, subscribed: true)
end
end
let(:merge_request) do
create(:merge_request, source_project: target_project, target_project: target_project) do |mr|
mr.subscriptions.create(user: user, project: target_project, subscribed: true)
end
end
let(:noteable) { issue }
let(:target_project) { project }
describe 'GET unsubscribe' do describe 'GET unsubscribe' do
context 'when the user is not logged in' do context 'when the user is not logged in' do
context 'when the force param is passed' do context 'when the force param is passed' do
...@@ -34,20 +50,93 @@ describe SentNotificationsController do ...@@ -34,20 +50,93 @@ describe SentNotificationsController do
end end
context 'when the force param is not passed' do context 'when the force param is not passed' do
render_views
before do before do
get(:unsubscribe, params: { id: sent_notification.reply_key }) get(:unsubscribe, params: { id: sent_notification.reply_key })
end end
it 'does not unsubscribe the user' do shared_examples 'unsubscribing as anonymous' do
expect(issue.subscribed?(user, project)).to be_truthy it 'does not unsubscribe the user' do
expect(noteable.subscribed?(user, target_project)).to be_truthy
end
it 'does not set the flash message' do
expect(controller).not_to set_flash[:notice]
end
it 'renders unsubscribe page' do
expect(response.status).to eq(200)
expect(response).to render_template :unsubscribe
end
end end
it 'does not set the flash message' do context 'when project is public' do
expect(controller).not_to set_flash[:notice] context 'when unsubscribing from issue' do
let(:noteable) { issue }
it 'shows issue title' do
expect(response.body).to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from confidential issue' do
let(:noteable) { confidential_issue }
it 'does not show issue title' do
expect(response.body).not_to include(confidential_issue.title)
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from merge request' do
let(:noteable) { merge_request }
it 'shows merge request title' do
expect(response.body).to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
end end
it 'redirects to the login page' do context 'when project is not public' do
expect(response).to render_template :unsubscribe let(:target_project) { private_project }
context 'when unsubscribing from issue' do
let(:noteable) { issue }
it 'shows issue title' do
expect(response.body).not_to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from confidential issue' do
let(:noteable) { confidential_issue }
it 'does not show issue title' do
expect(response.body).not_to include(confidential_issue.title)
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from merge request' do
let(:noteable) { merge_request }
it 'shows merge request title' do
expect(response.body).not_to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment