diff options
| author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 18:38:40 +0000 |
|---|---|---|
| committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:09:23 -0500 |
| commit | e3a5ce58bbd288063c705c57f2e7b3fcdf2b4a3b (patch) | |
| tree | 525b43acbf56f700488b8340cc42769b1dba576b /spec/features/projects/commits | |
| parent | 17f837267dc7e9e995885d9d161c7b035719de41 (diff) | |
| download | gitlab-ce-e3a5ce58bbd288063c705c57f2e7b3fcdf2b4a3b.tar.gz | |
Merge branch 'security-bvl-exposure-in-commits-list' into 'master'
[master] Don't expose confidential information in commit message list
See merge request gitlab/gitlabhq!2626
Diffstat (limited to 'spec/features/projects/commits')
| -rw-r--r-- | spec/features/projects/commits/user_browses_commits_spec.rb | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/spec/features/projects/commits/user_browses_commits_spec.rb b/spec/features/projects/commits/user_browses_commits_spec.rb index 534cfe1eb12..2159adf49fc 100644 --- a/spec/features/projects/commits/user_browses_commits_spec.rb +++ b/spec/features/projects/commits/user_browses_commits_spec.rb @@ -4,10 +4,9 @@ describe 'User browses commits' do include RepoHelpers let(:user) { create(:user) } - let(:project) { create(:project, :repository, namespace: user.namespace) } + let(:project) { create(:project, :public, :repository, namespace: user.namespace) } before do - project.add_maintainer(user) sign_in(user) end @@ -127,6 +126,26 @@ describe 'User browses commits' do .and have_selector('entry summary', text: commit.description[0..10].delete("\r\n")) end + context 'when a commit links to a confidential issue' do + let(:confidential_issue) { create(:issue, confidential: true, title: 'Secret issue!', project: project) } + + before do + project.repository.create_file(user, 'dummy-file', 'dummy content', + branch_name: 'feature', + message: "Linking #{confidential_issue.to_reference}") + end + + context 'when the user cannot see confidential issues but was cached with a link', :use_clean_rails_memory_store_fragment_caching do + it 'does not render the confidential issue' do + visit project_commits_path(project, 'feature') + sign_in(create(:user)) + visit project_commits_path(project, 'feature') + + expect(page).not_to have_link(href: project_issue_path(project, confidential_issue)) + end + end + end + context 'master branch' do before do visit_commits_page |