Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'

Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### Issue lookup with access check Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`] - [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`] ### Previous discussions - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031
author: Douwe Maan <douwe@gitlab.com> 2016-11-22 10:25:04 +0000
committer: Alejandro Rodríguez <alejorro70@gmail.com> 2016-11-28 21:26:23 -0300
commit: 3bf34face4cacf07ca973705c261369b1f596626 (patch)
tree: e8c8652893d5d2de45e26fa4cc0eb77c7517973e /spec/requests/api/issues_spec.rb
parent: 6d37fe952b5679d7586eaa569d0488dbb92032fe (diff)
download: gitlab-ce-3bf34face4cacf07ca973705c261369b1f596626.tar.gz
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index b17553211d2..ae7994af981 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -365,6 +365,24 @@ describe API::API, api: true  do
     let(:base_url) { "/projects/#{project.id}" }
     let(:title) { milestone.title }
 
+    it "returns 404 on private projects for other users" do
+      private_project = create(:empty_project, :private)
+      create(:issue, project: private_project)
+
+      get api("/projects/#{private_project.id}/issues", non_member)
+
+      expect(response).to have_http_status(404)
+    end
+
+    it 'returns no issues when user has access to project but not issues' do
+      restricted_project = create(:empty_project, :public, issues_access_level: ProjectFeature::PRIVATE)
+      create(:issue, project: restricted_project)
+
+      get api("/projects/#{restricted_project.id}/issues", non_member)
+
+      expect(json_response).to eq([])
+    end
+
     it 'returns project issues without confidential issues for non project members' do
       get api("#{base_url}/issues", non_member)
       expect(response).to have_http_status(200)
author	Douwe Maan <douwe@gitlab.com>	2016-11-22 10:25:04 +0000
committer	Alejandro Rodríguez <alejorro70@gmail.com>	2016-11-28 21:26:23 -0300
commit	3bf34face4cacf07ca973705c261369b1f596626 (patch)
tree	e8c8652893d5d2de45e26fa4cc0eb77c7517973e /spec/requests/api/issues_spec.rb
parent	6d37fe952b5679d7586eaa569d0488dbb92032fe (diff)
download	gitlab-ce-3bf34face4cacf07ca973705c261369b1f596626.tar.gz