diff options
| author | Felipe Artur <felipefac@gmail.com> | 2019-07-10 17:04:02 -0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2019-07-15 11:55:21 -0300 |
| commit | b43111e5d36ace977f45b62985100d3b74768ce5 (patch) | |
| tree | 4f9d94d1d377d4934d27b38bdf91a86dc3d286f3 | |
| parent | 2fec78ead4ce46b9728be02693b6e50cce740726 (diff) | |
| download | gitlab-ce-b43111e5d36ace977f45b62985100d3b74768ce5.tar.gz | |
Do not show moved issue ids for user not authorized
Do not show moved issue id for users that cannot read issue
| -rw-r--r-- | app/serializers/issue_entity.rb | 7 | ||||
| -rw-r--r-- | changelogs/unreleased/security-hide_moved_issue_id.yml | 5 | ||||
| -rw-r--r-- | spec/serializers/issue_entity_spec.rb | 33 |
3 files changed, 44 insertions, 1 deletions
diff --git a/app/serializers/issue_entity.rb b/app/serializers/issue_entity.rb index 36e601f45c5..82139855760 100644 --- a/app/serializers/issue_entity.rb +++ b/app/serializers/issue_entity.rb @@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity expose :discussion_locked expose :assignees, using: API::Entities::UserBasic expose :due_date - expose :moved_to_id expose :project_id + expose :moved_to_id do |issue| + if issue.moved_to_id.present? && can?(request.current_user, :read_issue, issue.moved_to) + issue.moved_to_id + end + end + expose :web_url do |issue| project_issue_path(issue.project, issue) end diff --git a/changelogs/unreleased/security-hide_moved_issue_id.yml b/changelogs/unreleased/security-hide_moved_issue_id.yml new file mode 100644 index 00000000000..24353d797c9 --- /dev/null +++ b/changelogs/unreleased/security-hide_moved_issue_id.yml @@ -0,0 +1,5 @@ +--- +title: Do not show moved issue id for users that cannot read issue +merge_request: +author: +type: security diff --git a/spec/serializers/issue_entity_spec.rb b/spec/serializers/issue_entity_spec.rb index caa3e41402b..0e05b3c84f4 100644 --- a/spec/serializers/issue_entity_spec.rb +++ b/spec/serializers/issue_entity_spec.rb @@ -17,4 +17,37 @@ describe IssueEntity do it 'has time estimation attributes' do expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent) end + + context 'when issue got moved' do + let(:public_project) { create(:project, :public) } + let(:member) { create(:user) } + let(:non_member) { create(:user) } + let(:issue) { create(:issue, project: public_project) } + + before do + project.add_developer(member) + public_project.add_developer(member) + Issues::MoveService.new(public_project, member).execute(issue, project) + end + + context 'when user cannot read target project' do + it 'does not return moved_to_id' do + request = double('request', current_user: non_member) + + response = described_class.new(issue, request: request).as_json + + expect(response[:moved_to_id]).to be_nil + end + end + + context 'when user can read target project' do + it 'returns moved moved_to_id' do + request = double('request', current_user: member) + + response = described_class.new(issue, request: request).as_json + + expect(response[:moved_to_id]).to eq(issue.moved_to_id) + end + end + end end |