summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-05-25 20:28:17 +0000
committerDouwe Maan <douwe@gitlab.com>2016-05-25 20:28:17 +0000
commit997178220008696576ffb5cdee6cb9d0e7a44055 (patch)
treeb2476fed3952a8df889995756d2c172adb50013f
parent7fa1ab469f40dfced988a75b95e484e40615e32d (diff)
parentb359d5d57f4b836c04e9e2ef7e1fcb3775bd5305 (diff)
downloadgitlab-ce-997178220008696576ffb5cdee6cb9d0e7a44055.tar.gz
Merge branch 'fix-issue-17496' into 'master'
Fix groups API to list only user's accessible projects Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17496 See merge request !1966
-rw-r--r--CHANGELOG1
-rw-r--r--app/finders/group_projects_finder.rb2
-rw-r--r--lib/api/groups.rb3
-rw-r--r--spec/requests/api/groups_spec.rb21
4 files changed, 21 insertions, 6 deletions
diff --git a/CHANGELOG b/CHANGELOG
index b79e6bb3ec2..551e1946a26 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.9.0 (unreleased)
- Redesign navigation for project pages
+ - Fix groups API to list only user's accessible projects
- Use gitlab-shell v3.0.0
- Add rake task 'gitlab:db:configure' for conditionally seeding or migrating the database
- Changed the Slack build message to use the singular duration if necessary (Aran Koning)
diff --git a/app/finders/group_projects_finder.rb b/app/finders/group_projects_finder.rb
index 3b9a421b118..aa8f4c1d0e4 100644
--- a/app/finders/group_projects_finder.rb
+++ b/app/finders/group_projects_finder.rb
@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder
projects = []
if current_user
- if @group.users.include?(current_user)
+ if @group.users.include?(current_user) || current_user.admin?
projects << @group.projects unless only_shared
projects << @group.shared_projects unless only_owned
else
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index 91e420832f3..9d8b8d737a9 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -95,8 +95,7 @@ module API
# GET /groups/:id/projects
get ":id/projects" do
group = find_group(params[:id])
- projects = group.projects
- projects = filter_projects(projects)
+ projects = GroupProjectsFinder.new(group).execute(current_user)
projects = paginate projects
present projects, with: Entities::Project
end
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index 37ddab83c30..7ecefce80d6 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -12,6 +12,7 @@ describe API::API, api: true do
let!(:group2) { create(:group, :private) }
let!(:project1) { create(:project, namespace: group1) }
let!(:project2) { create(:project, namespace: group2) }
+ let!(:project3) { create(:project, namespace: group1, path: 'test', visibility_level: Gitlab::VisibilityLevel::PRIVATE) }
before do
group1.add_owner(user1)
@@ -147,9 +148,11 @@ describe API::API, api: true do
context "when authenticated as user" do
it "should return the group's projects" do
get api("/groups/#{group1.id}/projects", user1)
+
expect(response.status).to eq(200)
- expect(json_response.length).to eq(1)
- expect(json_response.first['name']).to eq(project1.name)
+ expect(json_response.length).to eq(2)
+ project_names = json_response.map { |proj| proj['name' ] }
+ expect(project_names).to match_array([project1.name, project3.name])
end
it "should not return a non existing group" do
@@ -162,6 +165,16 @@ describe API::API, api: true do
expect(response.status).to eq(404)
end
+
+ it "should only return projects to which user has access" do
+ project3.team << [user3, :developer]
+
+ get api("/groups/#{group1.id}/projects", user3)
+
+ expect(response.status).to eq(200)
+ expect(json_response.length).to eq(1)
+ expect(json_response.first['name']).to eq(project3.name)
+ end
end
context "when authenticated as admin" do
@@ -181,8 +194,10 @@ describe API::API, api: true do
context 'when using group path in URL' do
it 'should return any existing group' do
get api("/groups/#{group1.path}/projects", admin)
+
expect(response.status).to eq(200)
- expect(json_response.first['name']).to eq(project1.name)
+ project_names = json_response.map { |proj| proj['name' ] }
+ expect(project_names).to match_array([project1.name, project3.name])
end
it 'should not return a non existing group' do