disable markdown in comments when referencing disabled featuresissue_23548

author: Felipe Artur <felipefac@gmail.com> 2016-10-20 19:29:14 -0200
committer: Felipe Artur <felipefac@gmail.com> 2016-10-20 19:29:14 -0200
commit: ff9fd24cf0ba9ec2ffddb203d3a61d9e4982a4f5 (patch)
tree: 07d062cc43e2eb48e6c57a25628015b45782e730
parent: de12e6f0c4689155d049b56d97625627379a40b7 (diff)
download: gitlab-ce-issue_23548.tar.gz
17 files changed, 117 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 73dc323e02c..89d76bfc36f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Improve Merge When Build Succeeds triggers and execute on pipeline success. (!6675)
   - Respond with 404 Not Found for non-existent tags (Linus Thiel)
   - Truncate long labels with ellipsis in labels page
+  - Disable markdown in comments when referencing disabled features
   - Improve tabbing usability for sign in page (ClemMakesApps)
   - Enforce TrailingSemicolon and EmptyLineBetweenBlocks in scss-lint
   - Adding members no longer silently fails when there is extra whitespace
diff --git a/lib/banzai/reference_parser/base_parser.rb b/lib/banzai/reference_parser/base_parser.rb
index f5d110e987b..c60cf46c141 100644
--- a/lib/banzai/reference_parser/base_parser.rb
+++ b/lib/banzai/reference_parser/base_parser.rb
@@ -61,6 +61,8 @@ module Banzai
         project_attr = 'data-project'
 
         nodes.select do |node|
+          next unless can_read_reference?(user)
+
           if node.has_attribute?(project_attr)
             node_id = node.attr(project_attr).to_i
 
@@ -226,6 +228,15 @@ module Banzai
 
       attr_reader :current_user, :project
 
+      # When a feature is disabled or visible only for
+      # team members we should not allow team members
+      # see reference comments.
+      # Override this method on classes where feature
+      # visibility should be checked.
+      def can_read_reference?(user)
+        true
+      end
+
       def lazy(&block)
         Gitlab::Lazy.new(&block)
       end
diff --git a/lib/banzai/reference_parser/commit_parser.rb b/lib/banzai/reference_parser/commit_parser.rb
index 0fee9d267de..a65fc410b48 100644
--- a/lib/banzai/reference_parser/commit_parser.rb
+++ b/lib/banzai/reference_parser/commit_parser.rb
@@ -29,6 +29,12 @@ module Banzai
 
         commits
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:repository, user)
+      end
     end
   end
 end
diff --git a/lib/banzai/reference_parser/commit_range_parser.rb b/lib/banzai/reference_parser/commit_range_parser.rb
index 69d01f8db15..87db67c818e 100644
--- a/lib/banzai/reference_parser/commit_range_parser.rb
+++ b/lib/banzai/reference_parser/commit_range_parser.rb
@@ -33,6 +33,12 @@ module Banzai
 
         range.valid_commits? ? range : nil
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:repository, user)
+      end
     end
   end
 end
diff --git a/lib/banzai/reference_parser/issue_parser.rb b/lib/banzai/reference_parser/issue_parser.rb
index 6c20dec5734..d372a786dc5 100644
--- a/lib/banzai/reference_parser/issue_parser.rb
+++ b/lib/banzai/reference_parser/issue_parser.rb
@@ -13,6 +13,7 @@ module Banzai
           issues_readable_by_user(issues.values, user).to_set
 
         nodes.select do |node|
+          next unless can_read_reference?(user)
           readable_issues.include?(issue_for_node(issues, node))
         end
       end
@@ -47,6 +48,10 @@ module Banzai
 
       private
 
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:issues, user)
+      end
+
       def issue_for_node(issues, node)
         issues[node.attr(self.class.data_attribute).to_i]
       end
diff --git a/lib/banzai/reference_parser/label_parser.rb b/lib/banzai/reference_parser/label_parser.rb
index e5d1eb11d7f..8e54e7bb535 100644
--- a/lib/banzai/reference_parser/label_parser.rb
+++ b/lib/banzai/reference_parser/label_parser.rb
@@ -6,6 +6,12 @@ module Banzai
       def references_relation
         Label
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:issues, user)
+      end
     end
   end
 end
diff --git a/lib/banzai/reference_parser/merge_request_parser.rb b/lib/banzai/reference_parser/merge_request_parser.rb
index c9a9ca79c09..67ea83e017e 100644
--- a/lib/banzai/reference_parser/merge_request_parser.rb
+++ b/lib/banzai/reference_parser/merge_request_parser.rb
@@ -6,6 +6,12 @@ module Banzai
       def references_relation
         MergeRequest.includes(:author, :assignee, :target_project)
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:merge_requests, user)
+      end
     end
   end
 end
diff --git a/lib/banzai/reference_parser/milestone_parser.rb b/lib/banzai/reference_parser/milestone_parser.rb
index a000ac61e5c..2a99034739b 100644
--- a/lib/banzai/reference_parser/milestone_parser.rb
+++ b/lib/banzai/reference_parser/milestone_parser.rb
@@ -6,6 +6,12 @@ module Banzai
       def references_relation
         Milestone
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:issues, user)
+      end
     end
   end
 end
diff --git a/lib/banzai/reference_parser/snippet_parser.rb b/lib/banzai/reference_parser/snippet_parser.rb
index fa71b3c952a..4f5ae8274a8 100644
--- a/lib/banzai/reference_parser/snippet_parser.rb
+++ b/lib/banzai/reference_parser/snippet_parser.rb
@@ -6,6 +6,12 @@ module Banzai
       def references_relation
         Snippet
       end
+
+      private
+
+      def can_read_reference?(user)
+        @feature_allowed ||= project && project.feature_available?(:snippets, user)
+      end
     end
   end
 end
diff --git a/spec/lib/banzai/reference_parser/commit_parser_spec.rb b/spec/lib/banzai/reference_parser/commit_parser_spec.rb
index 0b76d29fce0..a7ae8ba2c83 100644
--- a/spec/lib/banzai/reference_parser/commit_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/commit_parser_spec.rb
@@ -8,6 +8,14 @@ describe Banzai::ReferenceParser::CommitParser, lib: true do
   subject { described_class.new(project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      before { link['data-commit'] = 123 }
+
+      it_behaves_like "referenced feature disabled", "repository"
+    end
+  end
+
   describe '#referenced_by' do
     context 'when the link has a data-project attribute' do
       before do
diff --git a/spec/lib/banzai/reference_parser/commit_range_parser_spec.rb b/spec/lib/banzai/reference_parser/commit_range_parser_spec.rb
index ba982f38542..5b5e759d513 100644
--- a/spec/lib/banzai/reference_parser/commit_range_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/commit_range_parser_spec.rb
@@ -8,6 +8,14 @@ describe Banzai::ReferenceParser::CommitRangeParser, lib: true do
   subject { described_class.new(project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      before { link['data-commit-range'] = '123..456' }
+
+      it_behaves_like "referenced feature disabled", "repository"
+    end
+  end
+
   describe '#referenced_by' do
     context 'when the link has a data-project attribute' do
       before do
diff --git a/spec/lib/banzai/reference_parser/issue_parser_spec.rb b/spec/lib/banzai/reference_parser/issue_parser_spec.rb
index 85cfe728b6a..b4855382da5 100644
--- a/spec/lib/banzai/reference_parser/issue_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/issue_parser_spec.rb
@@ -4,10 +4,10 @@ describe Banzai::ReferenceParser::IssueParser, lib: true do
   include ReferenceParserHelpers
 
   let(:project) { create(:empty_project, :public) }
-  let(:user) { create(:user) }
-  let(:issue) { create(:issue, project: project) }
-  subject { described_class.new(project, user) }
-  let(:link) { empty_html_link }
+  let(:user)    { create(:user) }
+  let(:issue)   { create(:issue, project: project) }
+  let(:link)    { empty_html_link }
+  subject       { described_class.new(project, user) }
 
   describe '#nodes_visible_to_user' do
     context 'when the link has a data-issue attribute' do
@@ -15,6 +15,8 @@ describe Banzai::ReferenceParser::IssueParser, lib: true do
         link['data-issue'] = issue.id.to_s
       end
 
+      it_behaves_like "referenced feature disabled", "issues"
+
       it 'returns the nodes when the user can read the issue' do
         expect(Ability).to receive(:issues_readable_by_user).
           with([issue], user).
diff --git a/spec/lib/banzai/reference_parser/label_parser_spec.rb b/spec/lib/banzai/reference_parser/label_parser_spec.rb
index 77fda47f0e7..08330909c4c 100644
--- a/spec/lib/banzai/reference_parser/label_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/label_parser_spec.rb
@@ -9,6 +9,14 @@ describe Banzai::ReferenceParser::LabelParser, lib: true do
   subject { described_class.new(project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      before { link['data-label'] = label.id.to_s }
+
+      it_behaves_like "referenced feature disabled", "issues"
+    end
+  end
+
   describe '#referenced_by' do
     describe 'when the link has a data-label attribute' do
       context 'using an existing label ID' do
diff --git a/spec/lib/banzai/reference_parser/merge_request_parser_spec.rb b/spec/lib/banzai/reference_parser/merge_request_parser_spec.rb
index cf89ad598ea..1f428102100 100644
--- a/spec/lib/banzai/reference_parser/merge_request_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/merge_request_parser_spec.rb
@@ -8,6 +8,16 @@ describe Banzai::ReferenceParser::MergeRequestParser, lib: true do
   subject { described_class.new(merge_request.target_project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      let(:project) { merge_request.target_project }
+
+      before { link['data-merge-request'] = merge_request.id.to_s }
+
+      it_behaves_like "referenced feature disabled", "merge_requests"
+    end
+  end
+
   describe '#referenced_by' do
     describe 'when the link has a data-merge-request attribute' do
       context 'using an existing merge request ID' do
diff --git a/spec/lib/banzai/reference_parser/milestone_parser_spec.rb b/spec/lib/banzai/reference_parser/milestone_parser_spec.rb
index 6aa45a22cc4..9b3e0c3c957 100644
--- a/spec/lib/banzai/reference_parser/milestone_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/milestone_parser_spec.rb
@@ -9,6 +9,14 @@ describe Banzai::ReferenceParser::MilestoneParser, lib: true do
   subject { described_class.new(project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      before { link['data-milestone'] = milestone.id.to_s }
+
+      it_behaves_like "referenced feature disabled", "issues"
+    end
+  end
+
   describe '#referenced_by' do
     describe 'when the link has a data-milestone attribute' do
       context 'using an existing milestone ID' do
diff --git a/spec/lib/banzai/reference_parser/snippet_parser_spec.rb b/spec/lib/banzai/reference_parser/snippet_parser_spec.rb
index 59127b7c5d1..8245bafe45d 100644
--- a/spec/lib/banzai/reference_parser/snippet_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/snippet_parser_spec.rb
@@ -9,6 +9,14 @@ describe Banzai::ReferenceParser::SnippetParser, lib: true do
   subject { described_class.new(project, user) }
   let(:link) { empty_html_link }
 
+  describe '#nodes_visible_to_user' do
+    context 'when the link has a data-issue attribute' do
+      before { link['data-snippet'] = snippet.id.to_s }
+
+      it_behaves_like "referenced feature disabled", "snippets"
+    end
+  end
+
   describe '#referenced_by' do
     describe 'when the link has a data-snippet attribute' do
       context 'using an existing snippet ID' do
diff --git a/spec/support/reference_parser_shared_examples.rb b/spec/support/reference_parser_shared_examples.rb
new file mode 100644
index 00000000000..cb6d760da70
--- /dev/null
+++ b/spec/support/reference_parser_shared_examples.rb
@@ -0,0 +1,8 @@
+RSpec.shared_examples "referenced feature disabled" do |related_feature|
+  let(:feature_field) { (related_feature + "_access_level").to_sym }
+
+  it "does not create reference" do
+    project.project_feature.update_attribute(feature_field, ProjectFeature::DISABLED)
+    expect(subject.nodes_visible_to_user(user, [link])).to eq([])
+  end
+end
author	Felipe Artur <felipefac@gmail.com>	2016-10-20 19:29:14 -0200
committer	Felipe Artur <felipefac@gmail.com>	2016-10-20 19:29:14 -0200
commit	ff9fd24cf0ba9ec2ffddb203d3a61d9e4982a4f5 (patch)
tree	07d062cc43e2eb48e6c57a25628015b45782e730
parent	de12e6f0c4689155d049b56d97625627379a40b7 (diff)
download	gitlab-ce-issue_23548.tar.gz