Allow guests users to access project releases

This is step one of resolving https://gitlab.com/gitlab-org/gitlab-ce/issues/56838. Here is what changed: - Revert the security fix from bdee9e8412d. - Do not leak repository information (tag name, commit) to guests in API responses. - Do not include links to source code in API responses for users that do not have download_code access. - Show Releases in sidebar for guests. - Do not display links to source code under Assets for users that do not have download_code access. GET ':id/releases/:tag_name' still do not allow guests to access releases. This is to prevent guessing tag existence.
author: Krasimir Angelov <kangelov@gitlab.com> 2019-05-03 13:29:20 +0000
committer: Lin Jen-Shin <godfat@godfat.org> 2019-05-03 13:29:20 +0000
commit: 241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree: 085737123336ffc4abbf65652a7365c191c8a64c /spec/models/release_spec.rb
parent: 9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download: gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/spec/models/release_spec.rb b/spec/models/release_spec.rb
index 0b19a4f8efc..7c106ce6b85 100644
--- a/spec/models/release_spec.rb
+++ b/spec/models/release_spec.rb
@@ -49,6 +49,11 @@ RSpec.describe Release do
       it 'counts the link as an asset' do
         is_expected.to eq(1 + Releases::Source::FORMATS.count)
       end
+
+      it "excludes sources count when asked" do
+        assets_count = release.assets_count(except: [:sources])
+        expect(assets_count).to eq(1)
+      end
     end
   end
author	Krasimir Angelov <kangelov@gitlab.com>	2019-05-03 13:29:20 +0000
committer	Lin Jen-Shin <godfat@godfat.org>	2019-05-03 13:29:20 +0000
commit	241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree	085737123336ffc4abbf65652a7365c191c8a64c /spec/models/release_spec.rb
parent	9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download	gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz