diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-07 18:09:00 +0100 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-12-17 18:47:53 +0100 |
| commit | 28acd2b087d5b80cd89354d58f937aed0f4928cb (patch) | |
| tree | 0eda3c8ee7be722d51a390c750f1fd39dd88276b /spec/finders/events_finder_spec.rb | |
| parent | 75262862c434a98b9183a4a63f3ad86dec52b079 (diff) | |
| download | gitlab-ce-28acd2b087d5b80cd89354d58f937aed0f4928cb.tar.gz | |
Hide confidential events in ruby
We're filtering the events using `Event#visible_to_user?`.
At most we're loading 100 events at once.
Pagination is also dealt with in the finder, but the resulting array
is wrapped in a `Kaminari.paginate_array` so the API's pagination
helpers keep working. We're passing the total count into that
paginatable array, which would include confidential events. But we're
not disclosing anything.
Diffstat (limited to 'spec/finders/events_finder_spec.rb')
| -rw-r--r-- | spec/finders/events_finder_spec.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/spec/finders/events_finder_spec.rb b/spec/finders/events_finder_spec.rb index 62968e83292..3bce46cc4d1 100644 --- a/spec/finders/events_finder_spec.rb +++ b/spec/finders/events_finder_spec.rb @@ -14,6 +14,10 @@ describe EventsFinder do let!(:closed_issue_event2) { create(:event, project: project1, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 2, 2)) } let!(:opened_merge_request_event2) { create(:event, project: project2, author: user, target: opened_merge_request, action: Event::CREATED, created_at: Date.new(2017, 2, 2)) } + let(:public_project) { create(:project, :public, creator_id: user.id, namespace: user.namespace) } + let(:confidential_issue) { create(:closed_issue, confidential: true, project: public_project, author: user) } + let!(:confidential_event) { create(:event, project: public_project, author: user, target: confidential_issue, action: Event::CLOSED) } + context 'when targeting a user' do it 'returns events between specified dates filtered on action and type' do events = described_class.new(source: user, current_user: user, action: 'created', target_type: 'merge_request', after: Date.new(2017, 1, 1), before: Date.new(2017, 2, 1)).execute @@ -27,6 +31,19 @@ describe EventsFinder do expect(events).not_to include(opened_merge_request_event) end + it 'does not include events on confidential issues the user does not have access to' do + events = described_class.new(source: user, current_user: other_user).execute + + expect(events).not_to include(confidential_event) + end + + it 'includes confidential events user has access to' do + public_project.add_developer(other_user) + events = described_class.new(source: user, current_user: other_user).execute + + expect(events).to include(confidential_event) + end + it 'returns nothing when the current user cannot read cross project' do expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false } |