diff options
author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 17:46:12 +0000 |
---|---|---|
committer | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 17:46:12 +0000 |
commit | d26bf613b45066b3d2c78ef539cffc109cc39064 (patch) | |
tree | cd7b93bf0d984e9ed895066a2681b126de676fd7 /spec | |
parent | b82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1 (diff) | |
parent | 9ba554c8a053c5c9ad52a4e38956c4b9a6f140f7 (diff) | |
download | gitlab-ce-d26bf613b45066b3d2c78ef539cffc109cc39064.tar.gz |
Merge branch 'security-fix-leaking-private-project-namespace' into 'master'
[master] Fix leaking private project namespace
Closes #2708
See merge request gitlab/gitlabhq!2529
Diffstat (limited to 'spec')
-rw-r--r-- | spec/models/note_spec.rb | 67 |
1 files changed, 47 insertions, 20 deletions
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 947be44c903..1783dd3206b 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -231,33 +231,60 @@ describe Note do let(:ext_proj) { create(:project, :public) } let(:ext_issue) { create(:issue, project: ext_proj) } - let(:note) do - create :note, - noteable: ext_issue, project: ext_proj, - note: "mentioned in issue #{private_issue.to_reference(ext_proj)}", - system: true - end + shared_examples "checks references" do + it "returns true" do + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end - it "returns true" do - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy - end + it "returns false" do + expect(note.cross_reference_not_visible_for?(private_user)).to be_falsy + end - it "returns false" do - expect(note.cross_reference_not_visible_for?(private_user)).to be_falsy + it "returns false if user visible reference count set" do + note.user_visible_reference_count = 1 + note.total_reference_count = 1 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_falsy + end + + it "returns true if ref count is 0" do + note.user_visible_reference_count = 0 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end end - it "returns false if user visible reference count set" do - note.user_visible_reference_count = 1 + context "when there is one reference in note" do + let(:note) do + create :note, + noteable: ext_issue, project: ext_proj, + note: "mentioned in issue #{private_issue.to_reference(ext_proj)}", + system: true + end - expect(note).not_to receive(:reference_mentionables) - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_falsy + it_behaves_like "checks references" end - it "returns true if ref count is 0" do - note.user_visible_reference_count = 0 + context "when there are two references in note" do + let(:note) do + create :note, + noteable: ext_issue, project: ext_proj, + note: "mentioned in issue #{private_issue.to_reference(ext_proj)} and " \ + "public issue #{ext_issue.to_reference(ext_proj)}", + system: true + end + + it_behaves_like "checks references" - expect(note).not_to receive(:reference_mentionables) - expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + it "returns true if user visible reference count set and there is a private reference" do + note.user_visible_reference_count = 1 + note.total_reference_count = 2 + + expect(note).not_to receive(:reference_mentionables) + expect(note.cross_reference_not_visible_for?(ext_issue.author)).to be_truthy + end end end @@ -269,7 +296,7 @@ describe Note do end context 'when the note might contain cross references' do - SystemNoteMetadata::TYPES_WITH_CROSS_REFERENCES.each do |type| + SystemNoteMetadata.new.cross_reference_types.each do |type| let(:note) { create(:note, :system) } let!(:metadata) { create(:system_note_metadata, note: note, action: type) } |