Merge branch 'security-12-4-filter-member-only-packages' into '12-4-stable-ee'

GroupPackageFinder to filter private repos See merge request gitlab/gitlab-ee!1413

Merge branch 'security-12-4-filter-member-only-packages' into '12-4-stable-ee'
GroupPackageFinder to filter private repos See merge request gitlab/gitlab-ee!1413
756ba726 · GitLab Release Tools Bot · Robert Speicher · ac113694 · 756ba726 · 756ba726
Commit 756ba726 authored Oct 28, 2019 by GitLab Release Tools Bot Committed by Robert Speicher Nov 08, 2019
3 changed files
--- a/ee/app/finders/packages/group_packages_finder.rb
+++ b/ee/app/finders/packages/group_packages_finder.rb
@@ -30,6 +30,8 @@ module Packages
      ::Project
        .in_namespace(groups)
        .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER)
+        .with_project_feature
+        .select { |project| Ability.allowed?(current_user, :read_package, project) }
    end

    def package_type

--- a/ee/changelogs/unreleased/security-filter-member-only-packages-master.yml
+++ b/ee/changelogs/unreleased/security-filter-member-only-packages-master.yml
+---
+title: Filter out packages the user does'nt have permission to see at group level
+merge_request:
+author:
+type: security
--- a/ee/spec/finders/packages/group_packages_finder_spec.rb
+++ b/ee/spec/finders/packages/group_packages_finder_spec.rb
@@ -72,5 +72,40 @@ describe Packages::GroupPackagesFinder do

      it { is_expected.to match_array([package1])}
    end
+
+    context 'when project is public' do
+      set(:other_user) { create(:user) }
+      let(:finder) { described_class.new(other_user, group) }
+
+      before do
+        project.update!(visibility_level: ProjectFeature::ENABLED)
+      end
+
+      context 'when packages are public' do
+        before do
+          project.project_feature.update!(
+            builds_access_level: ProjectFeature::PRIVATE,
+            merge_requests_access_level: ProjectFeature::PRIVATE,
+            repository_access_level: ProjectFeature::ENABLED)
+        end
+
+        it 'returns group packages' do
+          expect(finder.execute).to match_array([package1, package2])
+        end
+      end
+
+      context 'packages are members only' do
+        before do
+          project.project_feature.update!(
+            builds_access_level: ProjectFeature::PRIVATE,
+            merge_requests_access_level: ProjectFeature::PRIVATE,
+            repository_access_level: ProjectFeature::PRIVATE)
+        end
+
+        it 'filters out the project if the user doesn\'t have permission' do
+          expect(finder.execute).to be_empty
+        end
+      end
+    end
  end
 end