Commit dbad14b7 authored by Luke Duncalfe's avatar Luke Duncalfe

Permission check issuable template API data

From https://gitlab.com/gitlab-org/gitlab/-/issues/336446:

> it seems possible that a customer might put some information in there
> that they would not want to be publicly known.

This change checks that a user can view issues, or merge requests, of a
project before exposing the default templates.

Changelog: security
EE: true
parent 9cb5a4eb
...@@ -37,8 +37,14 @@ module EE ...@@ -37,8 +37,14 @@ module EE
expose :compliance_frameworks do |project, _| expose :compliance_frameworks do |project, _|
[project.compliance_framework_setting&.compliance_management_framework&.name].compact [project.compliance_framework_setting&.compliance_management_framework&.name].compact
end end
expose :issues_template, if: ->(project, _) { project.feature_available?(:issuable_default_templates) } expose :issues_template, if: ->(project, options) do
expose :merge_requests_template, if: ->(project, _) { project.feature_available?(:issuable_default_templates) } project.feature_available?(:issuable_default_templates) &&
Ability.allowed?(options[:current_user], :read_issue, project)
end
expose :merge_requests_template, if: ->(project, options) do
project.feature_available?(:issuable_default_templates) &&
Ability.allowed?(options[:current_user], :read_merge_request, project)
end
expose :merge_pipelines_enabled?, as: :merge_pipelines_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) } expose :merge_pipelines_enabled?, as: :merge_pipelines_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
expose :merge_trains_enabled?, as: :merge_trains_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) } expose :merge_trains_enabled?, as: :merge_trains_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
end end
......
...@@ -276,31 +276,59 @@ RSpec.describe API::Projects do ...@@ -276,31 +276,59 @@ RSpec.describe API::Projects do
end end
end end
context 'issuable default templates feature is available' do context 'issuable default templates' do
before do let(:project) { create(:project, :public) }
stub_licensed_features(issuable_default_templates: true)
end
it 'returns issuable default templates' do context 'when feature is available' do
subject before do
stub_licensed_features(issuable_default_templates: true)
end
expect(response).to have_gitlab_http_status(:ok) it 'returns issuable default templates' do
expect(json_response).to have_key 'issues_template' subject
expect(json_response).to have_key 'merge_requests_template'
end
end
context 'issuable default templates feature not available' do expect(response).to have_gitlab_http_status(:ok)
before do expect(json_response).to have_key 'issues_template'
stub_licensed_features(issuable_default_templates: false) expect(json_response).to have_key 'merge_requests_template'
end
context 'when user does not have permission to see issues' do
let(:project) { create(:project, :public, :issues_private) }
it 'does not return issue default templates' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).not_to have_key 'issues_template'
expect(json_response).to have_key 'merge_requests_template'
end
end
context 'when user does not have permission to see merge requests' do
let(:project) { create(:project, :public, :merge_requests_private) }
it 'does not return merge request default templates' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to have_key 'issues_template'
expect(json_response).not_to have_key 'merge_requests_template'
end
end
end end
it 'does not return issuable default templates' do context 'issuable default templates feature not available' do
subject before do
stub_licensed_features(issuable_default_templates: false)
end
expect(response).to have_gitlab_http_status(:ok) it 'does not return issuable default templates' do
expect(json_response).not_to have_key 'issues_template' subject
expect(json_response).not_to have_key 'merge_requests_template'
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).not_to have_key 'issues_template'
expect(json_response).not_to have_key 'merge_requests_template'
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment