diff options
author | Robert Speicher <robert@gitlab.com> | 2016-04-26 00:37:01 +0000 |
---|---|---|
committer | Yorick Peterse <yorick@gitlab.com> | 2016-04-26 08:39:02 +0000 |
commit | c8776b0c570cbe4703283e4dcaad6e70aed1a6d6 (patch) | |
tree | dc2e9791d2f4e5e828e933146e3198ee72d1b66d | |
parent | 3b83ed2125086fced8e1432a281d9f9221697d3b (diff) | |
download | gitlab-ce-c8776b0c570cbe4703283e4dcaad6e70aed1a6d6.tar.gz |
Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'
Prevent information disclosure via milestone API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
See merge request !1961
-rw-r--r-- | lib/api/milestones.rb | 10 | ||||
-rw-r--r-- | spec/requests/api/milestones_spec.rb | 31 |
2 files changed, 39 insertions, 2 deletions
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb index 84b4d4cdd6d..132043cf3f7 100644 --- a/lib/api/milestones.rb +++ b/lib/api/milestones.rb @@ -105,7 +105,15 @@ module API authorize! :read_milestone, user_project @milestone = user_project.milestones.find(params[:milestone_id]) - present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user + + finder_params = { + project_id: user_project.id, + milestone_title: @milestone.title, + state: 'all' + } + + issues = IssuesFinder.new(current_user, finder_params).execute + present paginate(issues), with: Entities::Issue, current_user: current_user end end diff --git a/spec/requests/api/milestones_spec.rb b/spec/requests/api/milestones_spec.rb index 344f0fe0b7f..241995041bb 100644 --- a/spec/requests/api/milestones_spec.rb +++ b/spec/requests/api/milestones_spec.rb @@ -127,7 +127,7 @@ describe API::API, api: true do describe 'GET /projects/:id/milestones/:milestone_id/issues' do before do - milestone.issues << create(:issue) + milestone.issues << create(:issue, project: project) end it 'should return project issues for a particular milestone' do get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user) @@ -140,5 +140,34 @@ describe API::API, api: true do get api("/projects/#{project.id}/milestones/#{milestone.id}/issues") expect(response.status).to eq(401) end + + describe 'confidential issues' do + let(:public_project) { create(:project, :public) } + let(:milestone) { create(:milestone, project: public_project) } + let(:issue) { create(:issue, project: public_project) } + let(:confidential_issue) { create(:issue, confidential: true, project: public_project) } + before do + public_project.team << [user, :developer] + milestone.issues << issue << confidential_issue + end + + it 'returns confidential issues to team members' do + get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user) + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response.size).to eq(2) + expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id) + end + + it 'does not return confidential issues to regular users' do + get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", create(:user)) + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response.size).to eq(1) + expect(json_response.map { |issue| issue['id'] }).to include(issue.id) + end + end end end |