Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c59bc73c
Commit
c59bc73c
authored
Jun 29, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
parent
5b4f92ef
Changes
10
Show whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
83 additions
and
38 deletions
+83
-38
app/controllers/projects/wikis_controller.rb
app/controllers/projects/wikis_controller.rb
+1
-1
app/finders/events_finder.rb
app/finders/events_finder.rb
+6
-0
app/models/merge_request.rb
app/models/merge_request.rb
+1
-1
changelogs/unreleased/private-profile-api.yml
changelogs/unreleased/private-profile-api.yml
+5
-0
changelogs/unreleased/security-215175-filter-merge-participants.yml
.../unreleased/security-215175-filter-merge-participants.yml
+5
-0
changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
...eleased/security-disable-caching-for-wiki-attachments.yml
+5
-0
spec/controllers/projects/wikis_controller_spec.rb
spec/controllers/projects/wikis_controller_spec.rb
+7
-31
spec/finders/events_finder_spec.rb
spec/finders/events_finder_spec.rb
+7
-0
spec/models/merge_request_spec.rb
spec/models/merge_request_spec.rb
+33
-5
spec/requests/api/events_spec.rb
spec/requests/api/events_spec.rb
+13
-0
No files found.
app/controllers/projects/wikis_controller.rb
View file @
c59bc73c
...
@@ -45,7 +45,7 @@ class Projects::WikisController < Projects::ApplicationController
...
@@ -45,7 +45,7 @@ class Projects::WikisController < Projects::ApplicationController
render
'show'
render
'show'
elsif
file_blob
elsif
file_blob
send_blob
(
@project_wiki
.
repository
,
file_blob
,
allow_caching:
@project
.
public?
)
send_blob
(
@project_wiki
.
repository
,
file_blob
)
elsif
show_create_form?
elsif
show_create_form?
# Assign a title to the WikiPage unless `id` is a randomly generated slug from #new
# Assign a title to the WikiPage unless `id` is a randomly generated slug from #new
title
=
params
[
:id
]
unless
params
[
:random_title
].
present?
title
=
params
[
:id
]
unless
params
[
:random_title
].
present?
...
...
app/finders/events_finder.rb
View file @
c59bc73c
...
@@ -33,6 +33,8 @@ class EventsFinder
...
@@ -33,6 +33,8 @@ class EventsFinder
end
end
def
execute
def
execute
return
Event
.
none
if
cannot_access_private_profile?
events
=
get_events
events
=
get_events
events
=
by_current_user_access
(
events
)
events
=
by_current_user_access
(
events
)
...
@@ -102,6 +104,10 @@ class EventsFinder
...
@@ -102,6 +104,10 @@ class EventsFinder
end
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: enable CodeReuse/ActiveRecord
def
cannot_access_private_profile?
source
.
is_a?
(
User
)
&&
!
Ability
.
allowed?
(
current_user
,
:read_user_profile
,
source
)
end
def
sort
(
events
)
def
sort
(
events
)
return
events
unless
params
[
:sort
]
return
events
unless
params
[
:sort
]
...
...
app/models/merge_request.rb
View file @
c59bc73c
...
@@ -513,7 +513,7 @@ class MergeRequest < ApplicationRecord
...
@@ -513,7 +513,7 @@ class MergeRequest < ApplicationRecord
participants
<<
merge_user
participants
<<
merge_user
end
end
participants
participants
.
select
{
|
participant
|
Ability
.
allowed?
(
participant
,
:read_merge_request
,
self
)
}
end
end
def
first_commit
def
first_commit
...
...
changelogs/unreleased/private-profile-api.yml
0 → 100644
View file @
c59bc73c
---
title
:
Do not show activity for users with private profiles
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-215175-filter-merge-participants.yml
0 → 100644
View file @
c59bc73c
---
title
:
Check access when sending TODOs related to merge requests
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
0 → 100644
View file @
c59bc73c
---
title
:
Disable caching for wiki attachments
merge_request
:
author
:
type
:
security
spec/controllers/projects/wikis_controller_spec.rb
View file @
c59bc73c
...
@@ -141,43 +141,19 @@ describe Projects::WikisController do
...
@@ -141,43 +141,19 @@ describe Projects::WikisController do
context
'when page is a file'
do
context
'when page is a file'
do
include
WikiHelpers
include
WikiHelpers
let
(
:id
)
{
upload_file_to_wiki
(
project
,
user
,
file_name
)
}
where
(
:file_name
)
{
[
'dk.png'
,
'unsanitized.svg'
,
'git-cheat-sheet.pdf'
]
}
context
'when file is an image'
do
let
(
:file_name
)
{
'dk.png'
}
it
'delivers the image'
do
subject
expect
(
response
.
headers
[
'Content-Disposition'
]).
to
match
(
/^inline/
)
expect
(
response
.
headers
[
Gitlab
::
Workhorse
::
DETECT_HEADER
]).
to
eq
"true"
end
context
'when file is a svg'
do
let
(
:file_name
)
{
'unsanitized.svg'
}
it
'delivers the image'
do
subject
expect
(
response
.
headers
[
'Content-Disposition'
]).
to
match
(
/^inline/
)
expect
(
response
.
headers
[
Gitlab
::
Workhorse
::
DETECT_HEADER
]).
to
eq
"true"
end
end
it_behaves_like
'project cache control headers'
with_them
do
end
let
(
:id
)
{
upload_file_to_wiki
(
project
,
user
,
file_name
)
}
context
'when file is a pdf'
do
let
(
:file_name
)
{
'git-cheat-sheet.pdf'
}
it
'
sets the content type to sets the content response
headers'
do
it
'
delivers the file with the correct
headers'
do
subject
subject
expect
(
response
.
headers
[
'Content-Disposition'
]).
to
match
(
/^inline/
)
expect
(
response
.
headers
[
'Content-Disposition'
]).
to
match
(
/^inline/
)
expect
(
response
.
headers
[
Gitlab
::
Workhorse
::
DETECT_HEADER
]).
to
eq
"true"
expect
(
response
.
headers
[
Gitlab
::
Workhorse
::
DETECT_HEADER
]).
to
eq
(
'true'
)
expect
(
response
.
cache_control
[
:public
]).
to
be
(
false
)
expect
(
response
.
cache_control
[
:extras
]).
to
include
(
'no-store'
)
end
end
it_behaves_like
'project cache control headers'
end
end
end
end
end
end
...
...
spec/finders/events_finder_spec.rb
View file @
c59bc73c
...
@@ -4,6 +4,7 @@ require 'spec_helper'
...
@@ -4,6 +4,7 @@ require 'spec_helper'
describe
EventsFinder
do
describe
EventsFinder
do
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let
(
:private_user
)
{
create
(
:user
,
private_profile:
true
)
}
let
(
:other_user
)
{
create
(
:user
)
}
let
(
:other_user
)
{
create
(
:user
)
}
let
(
:project1
)
{
create
(
:project
,
:private
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:project1
)
{
create
(
:project
,
:private
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
...
@@ -57,6 +58,12 @@ describe EventsFinder do
...
@@ -57,6 +58,12 @@ describe EventsFinder do
expect
(
events
).
to
be_empty
expect
(
events
).
to
be_empty
end
end
it
'returns nothing when the target profile is private'
do
events
=
described_class
.
new
(
source:
private_user
,
current_user:
other_user
).
execute
expect
(
events
).
to
be_empty
end
end
end
describe
'wiki events feature flag'
do
describe
'wiki events feature flag'
do
...
...
spec/models/merge_request_spec.rb
View file @
c59bc73c
...
@@ -3458,7 +3458,7 @@ describe MergeRequest do
...
@@ -3458,7 +3458,7 @@ describe MergeRequest do
describe
'#merge_participants'
do
describe
'#merge_participants'
do
it
'contains author'
do
it
'contains author'
do
expect
(
subject
.
merge_participants
).
to
eq
([
subject
.
author
]
)
expect
(
subject
.
merge_participants
).
to
contain_exactly
(
subject
.
author
)
end
end
describe
'when merge_when_pipeline_succeeds? is true'
do
describe
'when merge_when_pipeline_succeeds? is true'
do
...
@@ -3472,8 +3472,20 @@ describe MergeRequest do
...
@@ -3472,8 +3472,20 @@ describe MergeRequest do
author:
user
)
author:
user
)
end
end
context
'author is not a project member'
do
it
'is empty'
do
expect
(
subject
.
merge_participants
).
to
be_empty
end
end
context
'author is a project member'
do
before
do
subject
.
project
.
team
.
add_reporter
(
user
)
end
it
'contains author only'
do
it
'contains author only'
do
expect
(
subject
.
merge_participants
).
to
eq
([
subject
.
author
])
expect
(
subject
.
merge_participants
).
to
contain_exactly
(
subject
.
author
)
end
end
end
end
end
...
@@ -3486,8 +3498,24 @@ describe MergeRequest do
...
@@ -3486,8 +3498,24 @@ describe MergeRequest do
merge_user:
merge_user
)
merge_user:
merge_user
)
end
end
before
do
subject
.
project
.
team
.
add_reporter
(
subject
.
author
)
end
context
'merge user is not a member'
do
it
'contains author only'
do
expect
(
subject
.
merge_participants
).
to
contain_exactly
(
subject
.
author
)
end
end
context
'both author and merge users are project members'
do
before
do
subject
.
project
.
team
.
add_reporter
(
merge_user
)
end
it
'contains author and merge user'
do
it
'contains author and merge user'
do
expect
(
subject
.
merge_participants
).
to
eq
([
subject
.
author
,
merge_user
])
expect
(
subject
.
merge_participants
).
to
contain_exactly
(
subject
.
author
,
merge_user
)
end
end
end
end
end
end
end
...
...
spec/requests/api/events_spec.rb
View file @
c59bc73c
...
@@ -192,6 +192,19 @@ describe API::Events do
...
@@ -192,6 +192,19 @@ describe API::Events do
end
end
end
end
context
'when target users profile is private'
do
it
'returns no events'
do
user
.
update!
(
private_profile:
true
)
private_project
.
add_developer
(
non_member
)
get
api
(
"/users/
#{
user
.
username
}
/events"
,
non_member
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
include_pagination_headers
expect
(
json_response
).
to
eq
([])
end
end
context
'when scope is passed'
do
context
'when scope is passed'
do
context
'when unauthenticated'
do
context
'when unauthenticated'
do
it
'returns no user events'
do
it
'returns no user events'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment