Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
cd5f31e4
Commit
cd5f31e4
authored
Apr 08, 2019
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent leaking information when issue is moved
Prevent leaking namespace and project names on moved issue links
parent
689874c4
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
27 additions
and
7 deletions
+27
-7
app/views/projects/issues/show.html.haml
app/views/projects/issues/show.html.haml
+1
-1
changelogs/unreleased/security-issue_2830.yml
changelogs/unreleased/security-issue_2830.yml
+5
-0
spec/views/projects/issues/show.html.haml_spec.rb
spec/views/projects/issues/show.html.haml_spec.rb
+21
-6
No files found.
app/views/projects/issues/show.html.haml
View file @
cd5f31e4
...
...
@@ -15,7 +15,7 @@
.issuable-status-box.status-box.status-box-issue-closed
{
class:
issue_button_visibility
(
@issue
,
false
)
}
=
sprite_icon
(
'mobile-issue-close'
,
size:
16
,
css_class:
'd-block d-sm-none'
)
.d-none.d-sm-block
-
if
@issue
.
moved?
-
if
@issue
.
moved?
&&
can?
(
current_user
,
:read_issue
,
@issue
.
moved_to
)
-
moved_link_start
=
"<a href=
\"
#{
issue_path
(
@issue
.
moved_to
)
}
\"
class=
\"
text-white text-underline
\"
>"
.
html_safe
-
moved_link_end
=
'</a>'
.
html_safe
=
s_
(
'IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})'
).
html_safe
%
{
moved_link_start:
moved_link_start
,
...
...
changelogs/unreleased/security-issue_2830.yml
0 → 100644
View file @
cd5f31e4
---
title
:
'
Resolve:
moving
an
issue
to
private
repo
leaks
namespace
and
project
name'
merge_request
:
author
:
type
:
security
spec/views/projects/issues/show.html.haml_spec.rb
View file @
cd5f31e4
...
...
@@ -19,6 +19,7 @@ describe 'projects/issues/show' do
context
'when the issue is closed'
do
before
do
allow
(
issue
).
to
receive
(
:closed?
).
and_return
(
true
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
end
context
'when the issue was moved'
do
...
...
@@ -28,16 +29,30 @@ describe 'projects/issues/show' do
issue
.
moved_to
=
new_issue
end
it
'shows "Closed (moved)" if an issue has been moved'
do
render
context
'when user can see the moved issue'
do
before
do
project
.
add_developer
(
user
)
end
expect
(
rendered
).
to
have_selector
(
'.status-box-issue-closed:not(.hidden)'
,
text:
'Closed (moved)'
)
it
'shows "Closed (moved)" if an issue has been moved'
do
render
expect
(
rendered
).
to
have_selector
(
'.status-box-issue-closed:not(.hidden)'
,
text:
'Closed (moved)'
)
end
it
'links "moved" to the new issue the original issue was moved to'
do
render
expect
(
rendered
).
to
have_selector
(
"a[href=
\"
#{
issue_path
(
new_issue
)
}
\"
]"
,
text:
'moved'
)
end
end
it
'links "moved" to the new issue the original issue was moved to'
do
render
context
'when user cannot see moved issue'
do
it
'does not show moved issue link'
do
render
expect
(
rendered
).
to
have_selector
(
"a[href=
\"
#{
issue_path
(
new_issue
)
}
\"
]"
,
text:
'moved'
)
expect
(
rendered
).
not_to
have_selector
(
"a[href=
\"
#{
issue_path
(
new_issue
)
}
\"
]"
,
text:
'moved'
)
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment