Merge branch '31157-respect-project-features-in-wiki-search' into 'security'

Respect project features in wiki and blob search See merge request !2089
author: Douwe Maan <douwe@gitlab.com> 2017-04-24 15:09:29 +0000
committer: Bob Van Landuyt <bob@gitlab.com> 2017-05-10 16:44:20 +0200
commit: 61a81a3ac225296f8aefc4d2f350de72a531bf3d (patch)
tree: 5222aa976e732c27607425282193181f9efed3a3
parent: d9ec830a8348fca93775c5f0b1f81a83e8c4f95a (diff)
download: gitlab-ce-61a81a3ac225296f8aefc4d2f350de72a531bf3d.tar.gz
3 files changed, 80 insertions, 3 deletions
diff --git a/changelogs/unreleased/31157-respect-project-features-in-wiki-search.yml b/changelogs/unreleased/31157-respect-project-features-in-wiki-search.yml
new file mode 100644
index 00000000000..721bb435a2e
--- /dev/null
+++ b/changelogs/unreleased/31157-respect-project-features-in-wiki-search.yml
@@ -0,0 +1,4 @@
+---
+title: Enforce project features when searching blobs and wikis
+merge_request:
+author:
diff --git a/lib/gitlab/project_search_results.rb b/lib/gitlab/project_search_results.rb
index 0b8959f2fb9..47cfe412715 100644
--- a/lib/gitlab/project_search_results.rb
+++ b/lib/gitlab/project_search_results.rb
@@ -82,6 +82,8 @@ module Gitlab
     private
 
     def blobs
+      return [] unless Ability.allowed?(@current_user, :download_code, @project)
+
       @blobs ||= begin
         blobs = project.repository.search_files_by_content(query, repository_ref).first(100)
         found_file_names = Set.new
@@ -102,6 +104,8 @@ module Gitlab
     end
 
     def wiki_blobs
+      return [] unless Ability.allowed?(@current_user, :read_wiki, @project)
+
       @wiki_blobs ||= begin
         if project.wiki_enabled? && query.present?
           project_wiki = ProjectWiki.new(project)
diff --git a/spec/lib/gitlab/project_search_results_spec.rb b/spec/lib/gitlab/project_search_results_spec.rb
index a7c8e7f1f57..6e0b1192706 100644
--- a/spec/lib/gitlab/project_search_results_spec.rb
+++ b/spec/lib/gitlab/project_search_results_spec.rb
@@ -22,8 +22,37 @@ describe Gitlab::ProjectSearchResults, lib: true do
   end
 
   describe 'blob search' do
-    let(:project) { create(:project, :repository) }
-    let(:results) { described_class.new(user, project, 'files').objects('blobs') }
+    let(:project) { create(:project, :public, :repository) }
+
+    subject(:results) { described_class.new(user, project, 'files').objects('blobs') }
+
+    context 'when repository is disabled' do
+      let(:project) { create(:project, :public, :repository, :repository_disabled) }
+
+      it 'hides blobs from members' do
+        project.add_reporter(user)
+
+        is_expected.to be_empty
+      end
+
+      it 'hides blobs from non-members' do
+        is_expected.to be_empty
+      end
+    end
+
+    context 'when repository is internal' do
+      let(:project) { create(:project, :public, :repository, :repository_private) }
+
+      it 'finds blobs for members' do
+        project.add_reporter(user)
+
+        is_expected.not_to be_empty
+      end
+
+      it 'hides blobs from non-members' do
+        is_expected.to be_empty
+      end
+    end
 
     it 'finds by name' do
       expect(results).to include(["files/images/wm.svg", nil])
@@ -70,6 +99,46 @@ describe Gitlab::ProjectSearchResults, lib: true do
     end
   end
 
+  describe 'wiki search' do
+    let(:project) { create(:project, :public) }
+    let(:wiki) { build(:project_wiki, project: project) }
+    let!(:wiki_page) { wiki.create_page('Title', 'Content') }
+
+    subject(:results) { described_class.new(user, project, 'Content').objects('wiki_blobs') }
+
+    context 'when wiki is disabled' do
+      let(:project) { create(:project, :public, :wiki_disabled) }
+
+      it 'hides wiki blobs from members' do
+        project.add_reporter(user)
+
+        is_expected.to be_empty
+      end
+
+      it 'hides wiki blobs from non-members' do
+        is_expected.to be_empty
+      end
+    end
+
+    context 'when wiki is internal' do
+      let(:project) { create(:project, :public, :wiki_private) }
+
+      it 'finds wiki blobs for members' do
+        project.add_reporter(user)
+
+        is_expected.not_to be_empty
+      end
+
+      it 'hides wiki blobs from non-members' do
+        is_expected.to be_empty
+      end
+    end
+
+    it 'finds by content' do
+      expect(results).to include("master:Title.md:1:Content\n")
+    end
+  end
+
   it 'does not list issues on private projects' do
     issue = create(:issue, project: project)
 
@@ -79,7 +148,6 @@ describe Gitlab::ProjectSearchResults, lib: true do
   end
 
   describe 'confidential issues' do
-    let(:project) { create(:empty_project) }
     let(:query) { 'issue' }
     let(:author) { create(:user) }
     let(:assignee) { create(:user) }
@@ -277,6 +345,7 @@ describe Gitlab::ProjectSearchResults, lib: true do
     context 'by commit hash' do
       let(:project) { create(:project, :public, :repository) }
       let(:commit) { project.repository.commit('0b4bc9a') }
+
       commit_hashes = { short: '0b4bc9a', full: '0b4bc9a49b562e85de7cc9e834518ea6828729b9' }
 
       commit_hashes.each do |type, commit_hash|
author	Douwe Maan <douwe@gitlab.com>	2017-04-24 15:09:29 +0000
committer	Bob Van Landuyt <bob@gitlab.com>	2017-05-10 16:44:20 +0200
commit	61a81a3ac225296f8aefc4d2f350de72a531bf3d (patch)
tree	5222aa976e732c27607425282193181f9efed3a3
parent	d9ec830a8348fca93775c5f0b1f81a83e8c4f95a (diff)
download	gitlab-ce-61a81a3ac225296f8aefc4d2f350de72a531bf3d.tar.gz