diff options
4 files changed, 26 insertions, 6 deletions
diff --git a/app/assets/javascripts/users_select/index.js b/app/assets/javascripts/users_select/index.js index 69b3c27173f..8ed92e6b948 100644 --- a/app/assets/javascripts/users_select/index.js +++ b/app/assets/javascripts/users_select/index.js @@ -842,7 +842,7 @@ UsersSelect.prototype.renderApprovalRules = function (elsClassName, approvalRule const [rule] = approvalRules; const countText = sprintf(__('(+%{count} rules)'), { count }); const renderApprovalRulesCount = count > 1 ? `<span class="ml-1">${countText}</span>` : ''; - const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : rule.name; + const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : escape(rule.name); return `<div class="gl-display-flex gl-font-sm"> <span class="gl-text-truncate" title="${ruleName}">${ruleName}</span> diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb index d0987492d2d..b979276437c 100644 --- a/app/controllers/projects/project_members_controller.rb +++ b/app/controllers/projects/project_members_controller.rb @@ -34,13 +34,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController end def import - @projects = current_user.authorized_projects.order_id_desc + @projects = Project.visible_to_user_and_access_level(current_user, Gitlab::Access::MAINTAINER).order_id_desc end def apply_import source_project = Project.find(params[:source_project_id]) - if can?(current_user, :read_project_member, source_project) + if can?(current_user, :admin_project_member, source_project) status = @project.team.import(source_project, current_user) notice = status ? "Successfully imported" : "Import failed" else diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb index be5c1f0d428..c352524ec14 100644 --- a/spec/controllers/projects/project_members_controller_spec.rb +++ b/spec/controllers/projects/project_members_controller_spec.rb @@ -624,9 +624,9 @@ RSpec.describe Projects::ProjectMembersController do end end - context 'when user can access source project members' do + context 'when user can admin source project members' do before do - another_project.add_guest(user) + another_project.add_maintainer(user) end include_context 'import applied' @@ -640,7 +640,11 @@ RSpec.describe Projects::ProjectMembersController do end end - context 'when user is not member of a source project' do + context "when user can't admin source project members" do + before do + another_project.add_developer(user) + end + include_context 'import applied' it 'does not import team members' do diff --git a/spec/frontend/users_select/index_spec.js b/spec/frontend/users_select/index_spec.js index 99caaf61c54..0d2aae78944 100644 --- a/spec/frontend/users_select/index_spec.js +++ b/spec/frontend/users_select/index_spec.js @@ -1,3 +1,5 @@ +import { escape } from 'lodash'; +import UsersSelect from '~/users_select/index'; import { createInputsModelExpectation, createUnassignedExpectation, @@ -91,5 +93,19 @@ describe('~/users_select/index', () => { expect(findDropdownItemsModel()).toEqual(expectation); }); }); + + describe('renderApprovalRules', () => { + const ruleNames = ['simple-name', '"\'<>&', '"><script>alert(1)<script>']; + + it.each(ruleNames)('escapes rule name correctly for %s', (name) => { + const escapedName = escape(name); + + expect( + UsersSelect.prototype.renderApprovalRules('reviewer', [{ name }]), + ).toMatchInterpolatedText( + `<div class="gl-display-flex gl-font-sm"> <span class="gl-text-truncate" title="${escapedName}">${escapedName}</span> </div>`, + ); + }); + }); }); }); |