diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 14:19:10 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 14:19:10 +0000 |
| commit | 300d1028101a878f0b401c6b0b7411b4cdcea5e0 (patch) | |
| tree | fa0ae312e41566e802b37b7d0bc7b0584049ae21 | |
| parent | 064154143352e5ef7b4e9f52feca9fee127a7389 (diff) | |
| parent | 04d773d82632d08753fc6c10a193ef6178bc54ec (diff) | |
| download | gitlab-ce-300d1028101a878f0b401c6b0b7411b4cdcea5e0.tar.gz | |
Merge branch 'security-commit-status-shown-for-guest-user' into 'master'
[master] Stop showing ci for guest users on private pipeline
See merge request gitlab/gitlabhq!2830
| -rw-r--r-- | app/views/shared/projects/_project.html.haml | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-commit-status-shown-for-guest-user.yml | 5 | ||||
| -rw-r--r-- | spec/features/dashboard/projects_spec.rb | 21 |
3 files changed, 27 insertions, 1 deletions
diff --git a/app/views/shared/projects/_project.html.haml b/app/views/shared/projects/_project.html.haml index fea7e17be3d..e1564d57426 100644 --- a/app/views/shared/projects/_project.html.haml +++ b/app/views/shared/projects/_project.html.haml @@ -84,7 +84,7 @@ title: _('Issues'), data: { container: 'body', placement: 'top' } do = sprite_icon('issues', size: 14, css_class: 'append-right-4') = number_with_delimiter(project.open_issues_count) - - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? + - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? && can?(current_user, :read_build, project) %span.icon-wrapper.pipeline-status = render_project_pipeline_status(project.pipeline_status, tooltip_placement: 'top') .updated-note diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml new file mode 100644 index 00000000000..a80170091d0 --- /dev/null +++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml @@ -0,0 +1,5 @@ +--- +title: Fix showing ci status for guest users when public pipline are not set +merge_request: +author: +type: security diff --git a/spec/features/dashboard/projects_spec.rb b/spec/features/dashboard/projects_spec.rb index edca8f9df08..6c4b04ab76b 100644 --- a/spec/features/dashboard/projects_spec.rb +++ b/spec/features/dashboard/projects_spec.rb @@ -147,6 +147,27 @@ describe 'Dashboard Projects' do expect(page).to have_link('Commit: passed') end end + + context 'guest user of project and project has private pipelines' do + let(:guest_user) { create(:user) } + + before do + project.update(public_builds: false) + project.add_guest(guest_user) + sign_in(guest_user) + end + + it 'shows that the last pipeline passed' do + visit dashboard_projects_path + + page.within('.controls') do + expect(page).not_to have_xpath("//a[@href='#{pipelines_project_commit_path(project, project.commit, ref: pipeline.ref)}']") + expect(page).not_to have_css('.ci-status-link') + expect(page).not_to have_css('.ci-status-icon-success') + expect(page).not_to have_link('Commit: passed') + end + end + end end context 'last push widget', :use_clean_rails_memory_store_caching do |