Add permission checking to UserReferenceFilter

author: Robert Speicher <rspeicher@gmail.com> 2015-04-13 15:43:58 -0400
committer: Robert Speicher <rspeicher@gmail.com> 2015-04-20 13:01:43 -0400
commit: 29604ff2c3d6fc81c3ac26b590f912fea15d58a6 (patch)
tree: 56f086f7a1e60eb50601a2d7eb8d6af725af2962
parent: 189c5347bef6c182ed00e2b845cdce5678abbbce (diff)
download: gitlab-ce-29604ff2c3d6fc81c3ac26b590f912fea15d58a6.tar.gz
2 files changed, 26 insertions, 7 deletions
diff --git a/lib/gitlab/markdown/user_reference_filter.rb b/lib/gitlab/markdown/user_reference_filter.rb
index eaf4094338b..d6798ee2158 100644
--- a/lib/gitlab/markdown/user_reference_filter.rb
+++ b/lib/gitlab/markdown/user_reference_filter.rb
@@ -78,12 +78,16 @@ module Gitlab
             %(<a href="#{url}" class="#{klass}">@#{user}</a>)
           elsif namespace = Namespace.find_by(path: user)
             if namespace.is_a?(Group)
-              url = group_url(user, only_path: context[:only_path])
+              if user_can_read_group?(namespace)
+                url = group_url(user, only_path: context[:only_path])
+                %(<a href="#{url}" class="#{klass}">@#{user}</a>)
+              else
+                match
+              end
             else
               url = user_url(user, only_path: context[:only_path])
+              %(<a href="#{url}" class="#{klass}">@#{user}</a>)
             end
-
-            %(<a href="#{url}" class="#{klass}">@#{user}</a>)
           else
             match
           end
@@ -112,6 +116,11 @@ module Gitlab
         h.namespace_project_url(project.namespace, project,
                                 only_path: context[:only_path])
       end
+
+      def user_can_read_group?(group)
+        return false if context[:current_user].blank?
+        Ability.abilities.allowed?(context[:current_user], :read_group, group)
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/markdown/user_reference_filter_spec.rb b/spec/lib/gitlab/markdown/user_reference_filter_spec.rb
index 72f0746f0e2..1704c826d5d 100644
--- a/spec/lib/gitlab/markdown/user_reference_filter_spec.rb
+++ b/spec/lib/gitlab/markdown/user_reference_filter_spec.rb
@@ -47,11 +47,21 @@ module Gitlab::Markdown
       end
     end
 
-    it 'links to a Group' do
-      group = create(:group)
+    context 'mentioning a group' do
+      let(:group) { create(:group) }
+      let(:user)  { create(:user) }
 
-      doc = filter("Hey @#{group.name}")
-      expect(doc.css('a').first.attr('href')).to eq urls.group_url(group)
+      it 'links to a Group that the current user can read' do
+        group.add_user(user, Gitlab::Access::DEVELOPER)
+
+        doc = filter("Hey @#{group.name}", current_user: user)
+        expect(doc.css('a').first.attr('href')).to eq urls.group_url(group)
+      end
+
+      it 'ignores references to a Group that the current user cannot read' do
+        doc = filter("Hey @#{group.name}", current_user: user)
+        expect(doc.to_html).to eq "Hey @#{group.name}"
+      end
     end
 
     it 'links with adjacent text' do
author	Robert Speicher <rspeicher@gmail.com>	2015-04-13 15:43:58 -0400
committer	Robert Speicher <rspeicher@gmail.com>	2015-04-20 13:01:43 -0400
commit	29604ff2c3d6fc81c3ac26b590f912fea15d58a6 (patch)
tree	56f086f7a1e60eb50601a2d7eb8d6af725af2962
parent	189c5347bef6c182ed00e2b845cdce5678abbbce (diff)
download	gitlab-ce-29604ff2c3d6fc81c3ac26b590f912fea15d58a6.tar.gz