Merge branch 'security-ag-cycle-analytics-guest-permissions' into 'master'

Prevent guests from seeing commits for cycle analytics

See merge request gitlab/gitlabhq!3519

1 files changed, 23 insertions, 0 deletions

diff --git a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
index 8f9dac6d281..94edef20296 100644
--- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
@@ -6,6 +6,11 @@ describe Gitlab::CycleAnalytics::StageSummary do
   let(:project) { create(:project, :repository) }
   let(:options) { { from: 1.day.ago, current_user: user } }
   let(:user) { create(:user, :admin) }
+
+  before do
+    project.add_maintainer(user)
+  end
+
   let(:stage_summary) { described_class.new(project, options).data }
 
   describe "#new_issues" do
@@ -86,6 +91,24 @@ describe Gitlab::CycleAnalytics::StageSummary do
         expect(subject).to eq(2)
       end
     end
+
+    context 'when a guest user is signed in' do
+      let(:guest_user) { create(:user) }
+
+      before do
+        project.add_guest(guest_user)
+        options.merge!({ current_user: guest_user })
+      end
+
+      it 'does not include commit stats' do
+        data = described_class.new(project, options).data
+        expect(includes_commits?(data)).to be_falsy
+      end
+
+      def includes_commits?(data)
+        data.any? { |h| h["title"] == 'Commits' }
+      end
+    end
   end
 
   describe "#deploys" do