Fix internal snippets can be searched by anyone

3 files changed, 62 insertions, 2 deletions

diff --git a/app/models/snippet.rb b/app/models/snippet.rb
index f8034cb5e6b..3a191cd91d0 100644
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -135,7 +135,10 @@ class Snippet < ActiveRecord::Base
     end
 
     def accessible_to(user)
-      where('visibility_level IN (?) OR author_id = ?', [Snippet::INTERNAL, Snippet::PUBLIC], user)
+      visibility_levels = [Snippet::PUBLIC]
+      visibility_levels << Snippet::INTERNAL if user
+
+      where('visibility_level IN (?) OR author_id = ?', visibility_levels, user)
     end
   end
 end
diff --git a/spec/models/snippet_spec.rb b/spec/models/snippet_spec.rb
index 789816bf2c7..57365571a7b 100644
--- a/spec/models/snippet_spec.rb
+++ b/spec/models/snippet_spec.rb
@@ -72,7 +72,7 @@ describe Snippet, models: true do
     end
   end
 
-  describe '#search_code' do
+  describe '.search_code' do
     let(:snippet) { create(:snippet, content: 'class Foo; end') }
 
     it 'returns snippets with matching content' do
@@ -88,6 +88,26 @@ describe Snippet, models: true do
     end
   end
 
+  describe '.accessible_to' do
+    let(:author) { create(:author) }
+    let(:user) { create(:user) }
+    let!(:public_snippet)   { create(:snippet, :public) }
+    let!(:internal_snippet) { create(:snippet, :internal) }
+    let!(:private_snippet)  { create(:snippet, :private, author: author) }
+
+    it 'returns only public snippets when user is nil' do
+      expect(described_class.accessible_to(nil)).to eq [public_snippet]
+    end
+
+    it 'returns only public, and internal snippets when user is not nil' do
+      expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet]
+    end
+
+    it 'returns snippets where the user is the author' do
+      expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet]
+    end
+  end
+
   describe '#participants' do
     let(:project) { create(:project, :public) }
     let(:snippet) { create(:snippet, content: 'foo', project: project) }
diff --git a/spec/services/search/snippet_service_spec.rb b/spec/services/search/snippet_service_spec.rb
new file mode 100644
index 00000000000..85721b61cff
--- /dev/null
+++ b/spec/services/search/snippet_service_spec.rb
@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+describe Search::SnippetService, services: true do
+  let(:author) { create(:author) }
+  let(:internal_user) { create(:user) }
+
+  let!(:public_snippet)   { create(:snippet, :public, content: 'password: XXX') }
+  let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }
+  let!(:private_snippet)  { create(:snippet, :private, content: 'password: XXX', author: author) }
+
+  describe '#execute' do
+    context 'unauthenticated' do
+      it 'should return public snippets only' do
+        search = described_class.new(nil, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet]
+      end
+    end
+
+    context 'authenticated' do
+      it 'should return only public & internal snippets' do
+        search = described_class.new(internal_user, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet]
+      end
+
+      it 'should return public, internal and private snippets for author' do
+        search = described_class.new(author, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet]
+      end
+    end
+  end
+end