diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:47:54 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:47:57 +0000 |
commit | d9cbee47c617737cdc6153f88c1c706e329edbcd (patch) | |
tree | 0c03ccdfaab98dcf43576835e3088e5478a20c57 | |
parent | 0481f09b9a4ba8afc6818e532b8035879ffc02d4 (diff) | |
download | gitlab-ce-d9cbee47c617737cdc6153f88c1c706e329edbcd.tar.gz |
Merge branch 'security-11-5-commit-status-shown-for-guest-user' into 'security-11-5'
[11.5] Stop showing ci for guest users
See merge request gitlab/gitlabhq!2837
(cherry picked from commit ad1ab0b4ddfb94cbe3b987b556792edc18ac67eb)
d7095784 Stop showing ci for guest users
-rw-r--r-- | app/views/shared/projects/_project.html.haml | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-commit-status-shown-for-guest-user.yml | 5 | ||||
-rw-r--r-- | spec/features/dashboard/projects_spec.rb | 21 |
3 files changed, 27 insertions, 1 deletions
diff --git a/app/views/shared/projects/_project.html.haml b/app/views/shared/projects/_project.html.haml index aba790e1217..9b1b86d7c71 100644 --- a/app/views/shared/projects/_project.html.haml +++ b/app/views/shared/projects/_project.html.haml @@ -45,7 +45,7 @@ .prepend-top-0 - if project.archived %span.prepend-left-10.badge.badge-warning archived - - if can?(current_user, :read_cross_project) && project.pipeline_status.has_status? + - if can?(current_user, :read_cross_project) && project.pipeline_status.has_status? && can?(current_user, :read_build, project) %span.prepend-left-10 = render_project_pipeline_status(project.pipeline_status) - if forks diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml new file mode 100644 index 00000000000..a80170091d0 --- /dev/null +++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml @@ -0,0 +1,5 @@ +--- +title: Fix showing ci status for guest users when public pipline are not set +merge_request: +author: +type: security diff --git a/spec/features/dashboard/projects_spec.rb b/spec/features/dashboard/projects_spec.rb index 975b7944741..65d79db4a50 100644 --- a/spec/features/dashboard/projects_spec.rb +++ b/spec/features/dashboard/projects_spec.rb @@ -144,6 +144,27 @@ describe 'Dashboard Projects' do expect(page).to have_link('Commit: passed') end end + + context 'guest user of project and project has private pipelines' do + let(:guest_user) { create(:user) } + + before do + project.update(public_builds: false) + project.add_guest(guest_user) + sign_in(guest_user) + end + + it 'shows that the last pipeline passed' do + visit dashboard_projects_path + + page.within('.controls') do + expect(page).not_to have_xpath("//a[@href='#{pipelines_project_commit_path(project, project.commit, ref: pipeline.ref)}']") + expect(page).not_to have_css('.ci-status-link') + expect(page).not_to have_css('.ci-status-icon-success') + expect(page).not_to have_link('Commit: passed') + end + end + end end context 'last push widget', :use_clean_rails_memory_store_caching do |