Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-30 04:46:48 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-30 04:47:03 +0000
commit: 8171aefb3235e3f112fadbd1f1dc698a04f1d84b (patch)
tree: 6a4148560270a26cda2464c7016d73c561aa56f5
parent: 7229dcfc0a757cc94a80cf925d6ff4bfd4c9217a (diff)
download: gitlab-ce-8171aefb3235e3f112fadbd1f1dc698a04f1d84b.tar.gz
8 files changed, 55 insertions, 26 deletions
diff --git a/app/models/project.rb b/app/models/project.rb
index c5fad189f87..f7c28bb8642 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2136,8 +2136,8 @@ class Project < ApplicationRecord
   end
 
   def after_import
-    repository.remove_prohibited_branches
     repository.expire_content_cache
+    repository.remove_prohibited_branches
     wiki.repository.expire_content_cache
 
     DetectRepositoryLanguagesWorker.perform_async(id)
diff --git a/app/policies/packages/policies/group_policy.rb b/app/policies/packages/policies/group_policy.rb
index 32dbcb1b65b..d8c20c7a90a 100644
--- a/app/policies/packages/policies/group_policy.rb
+++ b/app/policies/packages/policies/group_policy.rb
@@ -25,3 +25,5 @@ module Packages
     end
   end
 end
+
+Packages::Policies::GroupPolicy.prepend_mod_with('Packages::Policies::GroupPolicy')
diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb
index c754d24349a..0fb5953f2aa 100644
--- a/app/policies/packages/policies/project_policy.rb
+++ b/app/policies/packages/policies/project_policy.rb
@@ -52,3 +52,5 @@ module Packages
     end
   end
 end
+
+Packages::Policies::ProjectPolicy.prepend_mod_with('Packages::Policies::ProjectPolicy')
diff --git a/app/views/projects/tags/_release_link.html.haml b/app/views/projects/tags/_release_link.html.haml
index c942d122a58..6c79b13f438 100644
--- a/app/views/projects/tags/_release_link.html.haml
+++ b/app/views/projects/tags/_release_link.html.haml
@@ -1,4 +1,5 @@
-.gl-text-secondary
-  = sprite_icon("rocket", size: 12)
-  = _("Release")
-  = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"
+- if can?(current_user, :read_release, release)
+  .gl-text-secondary
+    = sprite_icon("rocket", size: 12)
+    = _("Release")
+    = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"
diff --git a/app/views/projects/tags/show.html.haml b/app/views/projects/tags/show.html.haml
index cb7751ecf2e..a9c3309e38c 100644
--- a/app/views/projects/tags/show.html.haml
+++ b/app/views/projects/tags/show.html.haml
@@ -57,12 +57,13 @@
     %pre.wrap{ data: { qa_selector: 'tag_message_content' } }
       = strip_signature(@tag.message)
 
-.gl-mb-3.gl-mt-3
-  - if @release&.description.present?
-    .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
-      = markdown_field(@release, :description)
-  - else
-    = s_('TagsPage|This tag has no release notes.')
+- if can?(current_user, :read_release, @release)
+  .gl-mb-3.gl-mt-3
+    - if @release&.description.present?
+      .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
+        = markdown_field(@release, :description)
+    - else
+      = s_('TagsPage|This tag has no release notes.')
 
 - if can?(current_user, :admin_tag, @project)
   .js-delete-tag-modal
diff --git a/spec/features/tags/developer_views_tags_spec.rb b/spec/features/tags/developer_views_tags_spec.rb
index 57e1f7da04e..e2399dd9978 100644
--- a/spec/features/tags/developer_views_tags_spec.rb
+++ b/spec/features/tags/developer_views_tags_spec.rb
@@ -53,6 +53,8 @@ RSpec.describe 'Developer views tags' do
     end
 
     it 'views a specific tag page' do
+      create(:release, project: project, tag: 'v1.0.0', name: 'v1.0.0', description: nil)
+
       click_on 'v1.0.0'
 
       expect(page).to have_current_path(
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 99b984ff547..825a914c810 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -5509,8 +5509,8 @@ RSpec.describe Project, factory_default: :keep do
     let(:import_state) { create(:import_state, project: project) }
 
     it 'runs the correct hooks' do
-      expect(project.repository).to receive(:remove_prohibited_branches)
-      expect(project.repository).to receive(:expire_content_cache)
+      expect(project.repository).to receive(:expire_content_cache).ordered
+      expect(project.repository).to receive(:remove_prohibited_branches).ordered
       expect(project.wiki.repository).to receive(:expire_content_cache)
       expect(import_state).to receive(:finish)
       expect(project).to receive(:update_project_counter_caches)
diff --git a/spec/support/shared_examples/features/user_views_tag_shared_examples.rb b/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
index 989de1dbfbb..702964a2610 100644
--- a/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
+++ b/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
@@ -2,33 +2,54 @@
 
 RSpec.shared_examples 'user views tag' do
   context 'when user views with the tag' do
-    let(:project) { create(:project, :repository) }
+    let(:project) { create(:project, :repository, :public) }
     let(:user) { create(:user) }
     let(:tag_name) { "stable" }
-    let!(:release) { create(:release, project: project, tag: tag_name, name: "ReleaseName") }
+    let(:release_name) { 'ReleaseName' }
+    let(:release_notes) { 'Release notes' }
+    let!(:release) do
+      create(:release, project: project, tag: tag_name, name: release_name, description: release_notes)
+    end
 
     before do
-      project.add_developer(user)
       project.repository.add_tag(user, tag_name, project.default_branch_or_main)
-
       sign_in(user)
     end
 
-    shared_examples 'shows tag' do
-      it do
-        visit tag_page
+    context 'and user is authorized to read release' do
+      before do
+        project.add_developer(user)
+      end
+
+      shared_examples 'shows tag' do
+        it do
+          visit tag_page
+
+          expect(page).to have_content tag_name
+          expect(page).to have_link(release_name, href: project_release_path(project, release))
+        end
+      end
 
-        expect(page).to have_content tag_name
-        expect(page).to have_link("ReleaseName", href: project_release_path(project, release))
+      it_behaves_like 'shows tag'
+
+      context 'when tag name contains a slash' do
+        let(:tag_name) { "stable/v0.1" }
+
+        it_behaves_like 'shows tag'
       end
     end
 
-    it_behaves_like 'shows tag'
+    context 'and user is not authorized to read release' do
+      before do
+        project.project_feature.update!(releases_access_level: Featurable::PRIVATE)
+      end
 
-    context 'when tag name contains a slash' do
-      let(:tag_name) { "stable/v0.1" }
+      it 'hides release link and notes', :aggregate_failures do
+        visit tag_page
 
-      it_behaves_like 'shows tag'
+        expect(page).not_to have_link(release_name, href: project_release_path(project, release))
+        expect(page).not_to have_text(release_notes)
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-30 04:46:48 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-30 04:47:03 +0000
commit	8171aefb3235e3f112fadbd1f1dc698a04f1d84b (patch)
tree	6a4148560270a26cda2464c7016d73c561aa56f5
parent	7229dcfc0a757cc94a80cf925d6ff4bfd4c9217a (diff)
download	gitlab-ce-8171aefb3235e3f112fadbd1f1dc698a04f1d84b.tar.gz