diff options
author | Robert Speicher <robert@gitlab.com> | 2016-05-31 19:35:13 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2016-05-31 19:35:13 +0000 |
commit | 613bcdc6262f30156bc240e532c781f1d0681b9f (patch) | |
tree | 31c70a4a39abb01eefa0f088fd88937e5647e876 /spec/models/note_spec.rb | |
parent | ef4fedc18f5e2475aa36cc4327a76a496567c6fc (diff) | |
parent | 9154586ce5c46dfac83a1ed1e4beac1940913f16 (diff) | |
download | gitlab-ce-613bcdc6262f30156bc240e532c781f1d0681b9f.tar.gz |
Merge branch 'data_leak' into 'master'
Confidential notes data leak
Fixes part of https://gitlab.com/gitlab-org/gitlab-ee/issues/575
See merge request !1967
Diffstat (limited to 'spec/models/note_spec.rb')
-rw-r--r-- | spec/models/note_spec.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 8aad1b73add..0e052907eec 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -139,6 +139,25 @@ describe Note, models: true do it 'returns notes with matching content regardless of the casing' do expect(described_class.search('WOW')).to eq([note]) end + + context "confidential issues" do + let(:user) { create :user } + let(:confidential_issue) { create(:issue, :confidential, author: user) } + let(:confidential_note) { create :note, note: "Random", noteable: confidential_issue } + + it "returns notes with matching content if user can see the issue" do + expect(described_class.search(confidential_note.note, as_user: user)).to eq([confidential_note]) + end + + it "does not return notes with matching content if user can not see the issue" do + user = create :user + expect(described_class.search(confidential_note.note, as_user: user)).to be_empty + end + + it "does not return notes with matching content for unauthenticated users" do + expect(described_class.search(confidential_note.note)).to be_empty + end + end end describe '.grouped_awards' do |