diff options
| author | Alexandru Croitor <acroitor@gitlab.com> | 2019-09-06 21:46:51 +0300 |
|---|---|---|
| committer | Alexandru Croitor <acroitor@gitlab.com> | 2019-09-20 10:41:20 +0300 |
| commit | ded9647d12a279b9cadbc3a5974d5c519279d86c (patch) | |
| tree | 37fced6b14ea88f3f44aeb2f1eb72a0baac1ba71 | |
| parent | 39381519f294742e4083dfd6a50c0c8ceddecd5d (diff) | |
| download | gitlab-ce-ded9647d12a279b9cadbc3a5974d5c519279d86c.tar.gz | |
Display only participants that user has permission to see
3 files changed, 47 insertions, 1 deletions
diff --git a/app/controllers/concerns/milestone_actions.rb b/app/controllers/concerns/milestone_actions.rb index 8b8b7db72f8..1ead631663e 100644 --- a/app/controllers/concerns/milestone_actions.rb +++ b/app/controllers/concerns/milestone_actions.rb @@ -20,7 +20,7 @@ module MilestoneActions format.html { redirect_to milestone_redirect_path } format.json do render json: tabs_json("shared/milestones/_participants_tab", { - users: @milestone.participants # rubocop:disable Gitlab/ModuleWithInstanceVariables + users: @milestone.issue_participants_visible_by_user(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables }) end end diff --git a/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml b/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml new file mode 100644 index 00000000000..574f9f8283c --- /dev/null +++ b/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml @@ -0,0 +1,5 @@ +--- +title: Display only participants that user has permission to see on milestone page +merge_request: +author: +type: security diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb index 9b2025b836c..9bfabd354e0 100644 --- a/spec/controllers/projects/milestones_controller_spec.rb +++ b/spec/controllers/projects/milestones_controller_spec.rb @@ -244,4 +244,45 @@ describe Projects::MilestonesController do end end end + + context '#participants' do + render_views + + context "when guest user" do + let(:issue_assignee) { create(:user) } + let(:guest_user) { create(:user) } + + before do + project.add_guest(guest_user) + sign_in(guest_user) + issue.update(assignee_ids: issue_assignee.id) + end + + context "when issue is not confidential" do + it 'shows milestone participants' do + params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json } + get :participants, params: params + + expect(response).to have_gitlab_http_status(200) + expect(response.content_type).to eq 'application/json' + expect(json_response['html']).to include(issue_assignee.name) + end + end + + context "when issue is confidential" do + before do + issue.update(confidential: true) + end + + it 'shows no milestone participants' do + params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json } + get :participants, params: params + + expect(response).to have_gitlab_http_status(200) + expect(response.content_type).to eq 'application/json' + expect(json_response['html']).not_to include(issue_assignee.name) + end + end + end + end end |