summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2016-04-25 15:46:15 +0200
committerRobert Speicher <rspeicher@gmail.com>2016-04-25 15:32:44 -0400
commitcd0750e0457f26f8165be301ad628e1830bd1e40 (patch)
tree0b24fe13ba21572c197e2919a7ebc79a980c9670
parentb79c5c40e18086f10b849d069bc1c496a851cbae (diff)
downloadgitlab-ce-cd0750e0457f26f8165be301ad628e1830bd1e40.tar.gz
Prevent private project name and namespace from leaking in the new MR view
Fixes #15591. Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r--app/services/merge_requests/build_service.rb3
-rw-r--r--spec/features/merge_requests/create_new_mr_spec.rb10
2 files changed, 13 insertions, 0 deletions
diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb
index fa34753c4fd..3544752d47a 100644
--- a/app/services/merge_requests/build_service.rb
+++ b/app/services/merge_requests/build_service.rb
@@ -7,6 +7,9 @@ module MergeRequests
merge_request.can_be_created = false
merge_request.compare_commits = []
merge_request.source_project = project unless merge_request.source_project
+
+ merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
merge_request.target_project ||= (project.forked_from_project || project)
merge_request.target_branch ||= merge_request.target_project.default_branch
diff --git a/spec/features/merge_requests/create_new_mr_spec.rb b/spec/features/merge_requests/create_new_mr_spec.rb
index 00b60bd0e75..e296078bad8 100644
--- a/spec/features/merge_requests/create_new_mr_spec.rb
+++ b/spec/features/merge_requests/create_new_mr_spec.rb
@@ -30,4 +30,14 @@ feature 'Create New Merge Request', feature: true, js: true do
expect(page).to have_content 'git checkout -b orphaned-branch origin/orphaned-branch'
end
+
+ context 'when target project cannot be viewed by the current user' do
+ it 'does not leak the private project name & namespace' do
+ private_project = create(:project, :private)
+
+ visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
+
+ expect(page).not_to have_content private_project.to_reference
+ end
+ end
end