diff options
author | Krasimir Angelov <kangelov@gitlab.com> | 2019-05-03 13:29:20 +0000 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2019-05-03 13:29:20 +0000 |
commit | 241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch) | |
tree | 085737123336ffc4abbf65652a7365c191c8a64c /spec/models/release_spec.rb | |
parent | 9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff) | |
download | gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz |
Allow guests users to access project releases
This is step one of resolving
https://gitlab.com/gitlab-org/gitlab-ce/issues/56838.
Here is what changed:
- Revert the security fix from bdee9e8412d.
- Do not leak repository information (tag name, commit) to guests in API
responses.
- Do not include links to source code in API responses for users that do
not have download_code access.
- Show Releases in sidebar for guests.
- Do not display links to source code under Assets for users that do not
have download_code access.
GET ':id/releases/:tag_name' still do not allow guests to access
releases. This is to prevent guessing tag existence.
Diffstat (limited to 'spec/models/release_spec.rb')
-rw-r--r-- | spec/models/release_spec.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/spec/models/release_spec.rb b/spec/models/release_spec.rb index 0b19a4f8efc..7c106ce6b85 100644 --- a/spec/models/release_spec.rb +++ b/spec/models/release_spec.rb @@ -49,6 +49,11 @@ RSpec.describe Release do it 'counts the link as an asset' do is_expected.to eq(1 + Releases::Source::FORMATS.count) end + + it "excludes sources count when asked" do + assets_count = release.assets_count(except: [:sources]) + expect(assets_count).to eq(1) + end end end |