diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-04 16:55:18 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-10-04 18:58:25 +0200 |
| commit | 21092657a50dbb3430dcf412d8fe448c348c09de (patch) | |
| tree | 9315c971de3f3890be3fde2f8aa618f291f9b0d1 /spec | |
| parent | 74532158e0599e918e911d1039a92972a7902911 (diff) | |
| download | gitlab-ce-21092657a50dbb3430dcf412d8fe448c348c09de.tar.gz | |
Merge branch 'security-fix-leaking-private-project-namespace-11-3' into 'security-11-3'
[11-3] Fix leaking private project namespace
See merge request gitlab/gitlabhq!2542
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/models/note_spec.rb | 67 |
1 files changed, 47 insertions, 20 deletions
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 947be44c903..1783dd3206b 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -231,33 +231,60 @@ describe Note do let(:ext_proj) { create(:project, :public) } let(:ext_issue) { create(:issue, project: ext_proj) } - let(:note) do - create :note, - noteable: ext_issue, project: ext_proj, - note: "mentioned in issue #{private_issue.to_reference(ext_proj)}", - system: true - end + shared_examples "checks references" do + it "returns true" do + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end - it "returns true" do - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy - end + it "returns false" do + expect(note.cross_reference_not_visible_for?(private_user)).to be_falsy + end - it "returns false" do - expect(note.cross_reference_not_visible_for?(private_user)).to be_falsy + it "returns false if user visible reference count set" do + note.user_visible_reference_count = 1 + note.total_reference_count = 1 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_falsy + end + + it "returns true if ref count is 0" do + note.user_visible_reference_count = 0 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end end - it "returns false if user visible reference count set" do - note.user_visible_reference_count = 1 + context "when there is one reference in note" do + let(:note) do + create :note, + noteable: ext_issue, project: ext_proj, + note: "mentioned in issue #{private_issue.to_reference(ext_proj)}", + system: true + end - expect(note).not_to receive(:reference_mentionables) - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_falsy + it_behaves_like "checks references" end - it "returns true if ref count is 0" do - note.user_visible_reference_count = 0 + context "when there are two references in note" do + let(:note) do + create :note, + noteable: ext_issue, project: ext_proj, + note: "mentioned in issue #{private_issue.to_reference(ext_proj)} and " \ + "public issue #{ext_issue.to_reference(ext_proj)}", + system: true + end + + it_behaves_like "checks references" - expect(note).not_to receive(:reference_mentionables) - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + it "returns true if user visible reference count set and there is a private reference" do + note.user_visible_reference_count = 1 + note.total_reference_count = 2 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end end end @@ -269,7 +296,7 @@ describe Note do end context 'when the note might contain cross references' do - SystemNoteMetadata::TYPES_WITH_CROSS_REFERENCES.each do |type| + SystemNoteMetadata.new.cross_reference_types.each do |type| let(:note) { create(:note, :system) } let!(:metadata) { create(:system_note_metadata, note: note, action: type) } |