Merge branch 'fix-events-finder-incomplete-11-2' into 'security-11-2'

[11.2] Redact events shown in the events API See merge request gitlab/gitlabhq!2519
author: Bob Van Landuyt <bob@gitlab.com> 2018-09-24 15:54:07 +0000
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-09-24 18:01:14 +0200
commit: 20d6be94c90a268a531280d6c4cab14b45439a08 (patch)
tree: 764953c5b44286ec08402dac6acd7b88820bb957 /spec
parent: 5ddc012d457acda07189ff70ea210c47bf0c0402 (diff)
download: gitlab-ce-20d6be94c90a268a531280d6c4cab14b45439a08.tar.gz
2 files changed, 192 insertions, 0 deletions
diff --git a/spec/models/event_spec.rb b/spec/models/event_spec.rb
index c1eac4fa489..81748681528 100644
--- a/spec/models/event_spec.rb
+++ b/spec/models/event_spec.rb
@@ -148,9 +148,14 @@ describe Event do
     let(:admin) { create(:admin) }
     let(:issue) { create(:issue, project: project, author: author, assignees: [assignee]) }
     let(:confidential_issue) { create(:issue, :confidential, project: project, author: author, assignees: [assignee]) }
+    let(:project_snippet) { create(:project_snippet, :public, project: project, author: author) }
+    let(:personal_snippet) { create(:personal_snippet, :public, author: author) }
     let(:note_on_commit) { create(:note_on_commit, project: project) }
     let(:note_on_issue) { create(:note_on_issue, noteable: issue, project: project) }
     let(:note_on_confidential_issue) { create(:note_on_issue, noteable: confidential_issue, project: project) }
+    let(:note_on_project_snippet) { create(:note_on_project_snippet, author: author, noteable: project_snippet, project: project) }
+    let(:note_on_personal_snippet) { create(:note_on_personal_snippet, author: author, noteable: personal_snippet, project: nil) }
+    let(:milestone_on_project) { create(:milestone, project: project) }
     let(:event) { described_class.new(project: project, target: target, author_id: author.id) }
 
     before do
@@ -268,6 +273,125 @@ describe Event do
         end
       end
     end
+
+    context 'milestone event' do
+      let(:target) { milestone_on_project }
+
+      it do
+        expect(event.visible_to_user?(nil)).to be_truthy
+        expect(event.visible_to_user?(non_member)).to be_truthy
+        expect(event.visible_to_user?(member)).to be_truthy
+        expect(event.visible_to_user?(guest)).to be_truthy
+        expect(event.visible_to_user?(admin)).to be_truthy
+      end
+
+      context 'on public project with private issue tracker and merge requests' do
+        let(:project) { create(:project, :public, :issues_private, :merge_requests_private) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_falsy
+          expect(event.visible_to_user?(member)).to be_truthy
+          expect(event.visible_to_user?(guest)).to be_truthy
+          expect(event.visible_to_user?(admin)).to be_truthy
+        end
+      end
+
+      context 'on private project' do
+        let(:project) { create(:project, :private) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_falsy
+          expect(event.visible_to_user?(member)).to be_truthy
+          expect(event.visible_to_user?(guest)).to be_truthy
+          expect(event.visible_to_user?(admin)).to be_truthy
+        end
+      end
+    end
+
+    context 'project snippet note event' do
+      let(:target) { note_on_project_snippet }
+
+      it do
+        expect(event.visible_to_user?(nil)).to be_truthy
+        expect(event.visible_to_user?(non_member)).to be_truthy
+        expect(event.visible_to_user?(author)).to be_truthy
+        expect(event.visible_to_user?(member)).to be_truthy
+        expect(event.visible_to_user?(guest)).to be_truthy
+        expect(event.visible_to_user?(admin)).to be_truthy
+      end
+
+      context 'on public project with private snippets' do
+        let(:project) { create(:project, :public, :snippets_private) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_falsy
+
+          # Normally, we'd expect the author of a comment to be able to view it.
+          # However, this doesn't seem to be the case for comments on snippets.
+          expect(event.visible_to_user?(author)).to be_falsy
+
+          expect(event.visible_to_user?(member)).to be_truthy
+          expect(event.visible_to_user?(guest)).to be_truthy
+          expect(event.visible_to_user?(admin)).to be_truthy
+        end
+      end
+
+      context 'on private project' do
+        let(:project) { create(:project, :private) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_falsy
+
+          # Normally, we'd expect the author of a comment to be able to view it.
+          # However, this doesn't seem to be the case for comments on snippets.
+          expect(event.visible_to_user?(author)).to be_falsy
+
+          expect(event.visible_to_user?(member)).to be_truthy
+          expect(event.visible_to_user?(guest)).to be_truthy
+          expect(event.visible_to_user?(admin)).to be_truthy
+        end
+      end
+    end
+
+    context 'personal snippet note event' do
+      let(:target) { note_on_personal_snippet }
+
+      it do
+        expect(event.visible_to_user?(nil)).to be_truthy
+        expect(event.visible_to_user?(non_member)).to be_truthy
+        expect(event.visible_to_user?(author)).to be_truthy
+        expect(event.visible_to_user?(admin)).to be_truthy
+      end
+
+      context 'on internal snippet' do
+        let(:personal_snippet) { create(:personal_snippet, :internal, author: author) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_truthy
+          expect(event.visible_to_user?(author)).to be_truthy
+          expect(event.visible_to_user?(admin)).to be_truthy
+        end
+      end
+
+      context 'on private snippet' do
+        let(:personal_snippet) { create(:personal_snippet, :private, author: author) }
+
+        it do
+          expect(event.visible_to_user?(nil)).to be_falsy
+          expect(event.visible_to_user?(non_member)).to be_falsy
+          expect(event.visible_to_user?(author)).to be_truthy
+
+          # It is very unexpected that a private personal snippet is not visible
+          # to an instance administrator. This should be fixed in the future.
+          expect(event.visible_to_user?(admin)).to be_falsy
+        end
+      end
+    end
   end
 
   describe '.limit_recent' do
diff --git a/spec/requests/api/redacted_events_spec.rb b/spec/requests/api/redacted_events_spec.rb
new file mode 100644
index 00000000000..086dd3df9ba
--- /dev/null
+++ b/spec/requests/api/redacted_events_spec.rb
@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe 'Redacted events in API::Events' do
+  shared_examples 'private events are redacted' do
+    it 'redacts events the user does not have access to' do
+      expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original
+
+      get api(path), user
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to contain_exactly(
+        'project_id' => nil,
+        'action_name' => nil,
+        'target_id' => nil,
+        'target_iid' => nil,
+        'target_type' => nil,
+        'author_id' => nil,
+        'target_title' => 'Confidential event',
+        'created_at' => nil,
+        'author_username' => nil
+      )
+    end
+  end
+
+  describe '/users/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/users/#{project.owner.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views another user with private events' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views another user with private events' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+
+  describe '/projects/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/projects/#{project.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views public project' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views public project' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+end
author	Bob Van Landuyt <bob@gitlab.com>	2018-09-24 15:54:07 +0000
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-09-24 18:01:14 +0200
commit	20d6be94c90a268a531280d6c4cab14b45439a08 (patch)
tree	764953c5b44286ec08402dac6acd7b88820bb957 /spec
parent	5ddc012d457acda07189ff70ea210c47bf0c0402 (diff)
download	gitlab-ce-20d6be94c90a268a531280d6c4cab14b45439a08.tar.gz