Commit c7fc0bf5 authored by Alex Hanselka's avatar Alex Hanselka

Merge remote-tracking branch 'dev/master'

* dev/master:
  Update CHANGELOG.md for 11.8.3
  Update CHANGELOG.md for 11.7.7
  Only return `commands_changes` used in frontend
parents fbc49fa3 d8dfd330
...@@ -2,6 +2,13 @@ ...@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 11.8.3 (2019-03-19)
### Security (1 change)
- Remove project serialization in quick actions response.
## 11.8.2 (2019-03-13) ## 11.8.2 (2019-03-13)
### Security (1 change) ### Security (1 change)
...@@ -264,6 +271,14 @@ entry. ...@@ -264,6 +271,14 @@ entry.
- Creates mixin to reduce code duplication between CE and EE in graph component. - Creates mixin to reduce code duplication between CE and EE in graph component.
## 11.7.7 (2019-03-19)
### Security (2 changes)
- Remove project serialization in quick actions response.
- Fixed ability to see private groups by users not belonging to given group.
## 11.7.5 (2019-02-06) ## 11.7.5 (2019-02-06)
### Fixed (8 changes) ### Fixed (8 changes)
......
...@@ -48,7 +48,7 @@ module NotesActions ...@@ -48,7 +48,7 @@ module NotesActions
respond_to do |format| respond_to do |format|
format.json do format.json do
json = { json = {
commands_changes: @note.commands_changes commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
} }
if @note.persisted? && return_discussion? if @note.persisted? && return_discussion?
......
---
title: Remove project serialization in quick actions response
merge_request:
author:
type: security
...@@ -413,6 +413,37 @@ describe Projects::NotesController do ...@@ -413,6 +413,37 @@ describe Projects::NotesController do
end end
end end
end end
context 'when creating a note with quick actions' do
context 'with commands that return changes' do
let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
it 'includes changes in commands_changes ' do
post :create, params: request_params.merge(note: { note: note_text }, format: :json)
expect(response).to have_gitlab_http_status(200)
expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
expect(json_response['commands_changes']).not_to include('target_project', 'title')
end
end
context 'with commands that do not return changes' do
let(:issue) { create(:issue, project: project) }
let(:other_project) { create(:project) }
let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
before do
other_project.add_developer(user)
end
it 'does not include changes in commands_changes' do
post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
expect(response).to have_gitlab_http_status(200)
expect(json_response['commands_changes']).not_to include('target_project', 'title')
end
end
end
end end
describe 'PUT update' do describe 'PUT update' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment