Present only issues visible to user in Vulnerabilitiy Issue Links API

73ee63b0 · Alan (Maciej) Paruszewski · James Fargher · 6f1b899d · 73ee63b0 · 73ee63b0
Commit 73ee63b0 authored Jul 16, 2020 by Alan (Maciej) Paruszewski Committed by James Fargher Jul 16, 2020
4 changed files
--- a/ee/changelogs/unreleased/9424-filter-not-visible-issues-from-vulnerability-issue-links-api.yml
+++ b/ee/changelogs/unreleased/9424-filter-not-visible-issues-from-vulnerability-issue-links-api.yml
+---
+title: Present only issues visible to user in Vulnerabilitiy Issue Links API
+merge_request: 36987
+author:
+type: fixed
--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
@@ -33,10 +33,8 @@ module API
      end
      get ':id/issue_links' do
        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
-        present vulnerability
-                  .related_issues
-                  .with_api_entity_associations
-                  .with_vulnerability_links,
+        related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
+        present Ability.issues_readable_by_user(related_issues, current_user),
                with: EE::API::Entities::VulnerabilityRelatedIssue
      end


--- a/ee/spec/factories/vulnerabilities.rb
+++ b/ee/spec/factories/vulnerabilities.rb
@@ -78,7 +78,7 @@ FactoryBot.define do

    trait :with_issue_links do
      after(:create) do |vulnerability|
-        create_list(:issue, 2).each do |issue|
+        create_list(:issue, 2, project: vulnerability.project).each do |issue|
          create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
        end
      end

--- a/ee/spec/requests/api/vulnerability_issue_links_spec.rb
+++ b/ee/spec/requests/api/vulnerability_issue_links_spec.rb
@@ -24,15 +24,51 @@ RSpec.describe API::VulnerabilityIssueLinks do
        project.add_developer(user)
      end

-      it 'gets the list of vulnerabilities' do
-        get_issue_links
-
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
-        expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
-        expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
-          match_array(vulnerability.issue_links.map(&:id)))
-        expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
+      shared_examples "responds with list of only visible issue links" do
+        it 'gets the list of visible issue links', :aggregate_failures do
+          get_issue_links
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
+          expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
+          expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
+            match_array(vulnerability.issue_links.map(&:id)))
+          expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
+        end
+      end
+
+      context 'when linked issue is not confidential and available for the user' do
+        include_examples 'responds with list of only visible issue links'
+      end
+
+      context 'when there is an additional confidential issue linked' do
+        let_it_be(:public_project) { create(:project, :public) }
+        let_it_be(:confidential_issue) { create(:issue, :confidential, project: public_project) }
+        let_it_be(:confidential_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: confidential_issue) }
+
+        include_examples 'responds with list of only visible issue links'
+
+        it 'does not return confidential issue in the response' do
+          get_issue_links
+
+          expect(json_response.map { |link| link['id'] }).not_to include(confidential_issue.id)
+          expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(confidential_issue_link.id)
+        end
+      end
+
+      context 'when link is created to issue in the inaccessible project' do
+        let_it_be(:private_project) { create(:project, :private) }
+        let_it_be(:private_issue) { create(:issue, :confidential, project: private_project) }
+        let_it_be(:private_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: private_issue) }
+
+        include_examples 'responds with list of only visible issue links'
+
+        it 'does not return issue from inaccessible project' do
+          get_issue_links
+
+          expect(json_response.map { |link| link['id'] }).not_to include(private_issue.id)
+          expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(private_issue_link.id)
+        end
      end

      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do
        end
      end

-      context 'with valid target_project_id and target_issue_iid params' do
+      context 'when issue is from different project' do
        let_it_be(:other_issue) { create(:issue) }

        let(:target_project_id) { other_issue.project_id }