Commit c7d80969 authored by Alessio Caiazza's avatar Alessio Caiazza

Merge branch 'security-rd-do-not-show-internal-info-in-public-feed' into 'master'

[master] Don't show internal info in public feed

See merge request gitlab/gitlabhq!2395
parents 8d18f219 c1cc4777
...@@ -56,7 +56,7 @@ class UserRecentEventsFinder ...@@ -56,7 +56,7 @@ class UserRecentEventsFinder
visible = target_user visible = target_user
.project_interactions .project_interactions
.where(visibility_level: [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]) .where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user))
.select(:id) .select(:id)
Gitlab::SQL::Union.new([authorized, visible]).to_sql Gitlab::SQL::Union.new([authorized, visible]).to_sql
......
---
title: Don't show events from internal projects for anonymous users in public feed
merge_request:
author:
type: security
require 'spec_helper' require 'spec_helper'
describe UserRecentEventsFinder do describe UserRecentEventsFinder do
let(:user) { create(:user) } let(:current_user) { create(:user) }
let(:project) { create(:project) } let(:project_owner) { create(:user) }
let(:project_owner) { project.creator } let(:private_project) { create(:project, :private, creator: project_owner) }
let!(:event) { create(:event, project: project, author: project_owner) } let(:internal_project) { create(:project, :internal, creator: project_owner) }
let(:public_project) { create(:project, :public, creator: project_owner) }
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
subject(:finder) { described_class.new(user, project_owner) } subject(:finder) { described_class.new(current_user, project_owner) }
describe '#execute' do describe '#execute' do
it 'does not include the event when a user does not have access to the project' do context 'current user does not have access to projects' do
expect(finder.execute).to be_empty it 'returns public and internal events' do
records = finder.execute
expect(records).to include(public_event, internal_event)
expect(records).not_to include(private_event)
end
end end
context 'when the user has access to a project' do context 'when current user has access to the projects' do
before do before do
project.add_developer(user) private_project.add_developer(current_user)
internal_project.add_developer(current_user)
public_project.add_developer(current_user)
end end
it 'includes the event' do it 'returns all the events' do
expect(finder.execute).to include(event) expect(finder.execute).to include(private_event, internal_event, public_event)
end end
it 'does not include the event if the user cannot read cross project' do it 'does not include the events if the user cannot read cross project' do
expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false } expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
expect(finder.execute).to be_empty expect(finder.execute).to be_empty
end end
end end
context 'when current user is anonymous' do
let(:current_user) { nil }
it 'returns public events only' do
expect(finder.execute).to eq([public_event])
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment