summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShinya Maeda <shinya@gitlab.com>2019-01-29 18:25:53 +0900
committerShinya Maeda <shinya@gitlab.com>2019-01-30 15:52:59 +0900
commitf942a08d23923afc7c99d750922ff61018cbcbf8 (patch)
tree655515f6085c17802682591b99515520a222ced2
parentaca9ce3eb61b4af37ee47daaf03c5e1e7a06a15d (diff)
downloadgitlab-ce-f942a08d23923afc7c99d750922ff61018cbcbf8.tar.gz
Fix Markdown of release notes
It was leaings confidential issue titles and MR titles to any users Fix spec Fix spec Fix tests
-rw-r--r--lib/api/entities.rb4
-rw-r--r--spec/requests/api/releases_spec.rb25
2 files changed, 28 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 62278360329..3341dd92ded 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1116,7 +1116,9 @@ module API
class Release < TagRelease
expose :name
- expose :description_html
+ expose :description_html do |entity|
+ MarkupHelper.markdown_field(entity, :description)
+ end
expose :created_at
expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
expose :commit, using: Entities::Commit
diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
index 811e23fb854..1f317971a66 100644
--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -127,6 +127,31 @@ describe API::Releases do
.to match_array(release.sources.map(&:url))
end
+ context "when release description contains confidential issue's link" do
+ let(:confidential_issue) do
+ create(:issue,
+ :confidential,
+ project: project,
+ title: 'A vulnerability')
+ end
+
+ let!(:release) do
+ create(:release,
+ project: project,
+ tag: 'v0.1',
+ sha: commit.id,
+ author: maintainer,
+ description: "This is confidential #{confidential_issue.to_reference}")
+ end
+
+ it "does not expose confidential issue's title" do
+ get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+ expect(json_response['description_html']).to include(confidential_issue.to_reference)
+ expect(json_response['description_html']).not_to include('A vulnerability')
+ end
+ end
+
context 'when release has link asset' do
let!(:link) do
create(:release_link,