summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-11-26 12:02:05 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-11-26 12:02:05 +0000
commit83e8f432e03fee659c3ac0bd718f40dff0bf8e45 (patch)
treeff65535f069ab7bb5005b9bddcd81f290f140bd2 /spec
parent7d028ae6a925c50033b14ada8495a244305e6df0 (diff)
parent6324a099746475910dec56500e0f834a79f181da (diff)
downloadgitlab-ce-83e8f432e03fee659c3ac0bd718f40dff0bf8e45.tar.gz
Merge branch 'security-filter-related-branches-from-activity-feed-12.5' into '12-5-stable'
Related Branches Visible to Guests in Issue Activity See merge request gitlab/gitlabhq!3538
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/projects/issues_controller_spec.rb37
-rw-r--r--spec/models/note_spec.rb64
2 files changed, 101 insertions, 0 deletions
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index 8770a5ee303..29746bbd863 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -1435,6 +1435,43 @@ describe Projects::IssuesController do
expect { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }.not_to exceed_query_limit(control_count)
end
end
+
+ context 'private project' do
+ let!(:branch_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
+ let!(:commit_note) { create(:discussion_note_on_issue, :system, noteable: issue, project: project) }
+ let!(:branch_note_meta) { create(:system_note_metadata, note: branch_note, action: "branch") }
+ let!(:commit_note_meta) { create(:system_note_metadata, note: commit_note, action: "commit") }
+
+ context 'user is allowed access' do
+ before do
+ project.add_user(user, :maintainer)
+ end
+
+ it 'displays all available notes' do
+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
+
+ expect(json_response.length).to eq(3)
+ end
+ end
+
+ context 'user is a guest' do
+ let(:json_response_note_ids) do
+ json_response.collect { |discussion| discussion["notes"] }.flatten
+ .collect { |note| note["id"].to_i }
+ end
+
+ before do
+ project.add_guest(user)
+ end
+
+ it 'does not display notes w/type listed in TYPES_RESTRICTED_BY_ACCESS_LEVEL' do
+ get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }
+
+ expect(json_response.length).to eq(2)
+ expect(json_response_note_ids).not_to include(branch_note.id)
+ end
+ end
+ end
end
end
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb
index 3ab88b52568..9c06cd049f5 100644
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -285,6 +285,70 @@ describe Note do
end
end
+ describe "#visible_for?" do
+ using RSpec::Parameterized::TableSyntax
+
+ let_it_be(:note) { create(:note) }
+ let_it_be(:user) { create(:user) }
+
+ where(:cross_reference_visible, :system_note_viewable, :result) do
+ true | true | false
+ false | true | true
+ false | false | false
+ end
+
+ with_them do
+ it "returns expected result" do
+ expect(note).to receive(:cross_reference_not_visible_for?).and_return(cross_reference_visible)
+
+ unless cross_reference_visible
+ expect(note).to receive(:system_note_viewable_by?)
+ .with(user).and_return(system_note_viewable)
+ end
+
+ expect(note.visible_for?(user)).to eq result
+ end
+ end
+ end
+
+ describe "#system_note_viewable_by?(user)" do
+ let_it_be(:note) { create(:note) }
+ let_it_be(:user) { create(:user) }
+ let!(:metadata) { create(:system_note_metadata, note: note, action: "branch") }
+
+ context "when system_note_metadata is not present" do
+ it "returns true" do
+ expect(note).to receive(:system_note_metadata).and_return(nil)
+
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+
+ context "system_note_metadata isn't of type 'branch'" do
+ before do
+ metadata.action = "not_a_branch"
+ end
+
+ it "returns true" do
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+
+ context "user doesn't have :download_code ability" do
+ it "returns false" do
+ expect(note.send(:system_note_viewable_by?, user)).to be_falsey
+ end
+ end
+
+ context "user has the :download_code ability" do
+ it "returns true" do
+ expect(Ability).to receive(:allowed?).with(user, :download_code, note.project).and_return(true)
+
+ expect(note.send(:system_note_viewable_by?, user)).to be_truthy
+ end
+ end
+ end
+
describe "cross_reference_not_visible_for?" do
let(:private_user) { create(:user) }
let(:private_project) { create(:project, namespace: private_user.namespace) { |p| p.add_maintainer(private_user) } }