summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG2
-rw-r--r--app/models/concerns/mentionable.rb2
-rw-r--r--app/services/todo_service.rb2
-rw-r--r--doc/integration/omniauth.md12
-rw-r--r--lib/gitlab/o_auth/user.rb2
-rw-r--r--spec/lib/gitlab/o_auth/user_spec.rb17
-rw-r--r--spec/models/concerns/mentionable_spec.rb37
7 files changed, 65 insertions, 9 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 6a7c314f9f8..4fac555e12a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -36,6 +36,8 @@ v 8.10.0 (unreleased)
- More descriptive message for git hooks and file locks
- Handle custom Git hook result in GitLab UI
+v 8.9.4 (unreleased)
+ - Ensure references to private repos aren't shown to logged-out users
v 8.9.5 (unreleased)
- Improve the request / withdraw access button. !4860
- Fix assigning shared runners as admins. !4961
diff --git a/app/models/concerns/mentionable.rb b/app/models/concerns/mentionable.rb
index f00b5b8497c..8cac47246db 100644
--- a/app/models/concerns/mentionable.rb
+++ b/app/models/concerns/mentionable.rb
@@ -45,7 +45,7 @@ module Mentionable
def all_references(current_user = nil, text = nil, extractor: nil)
extractor ||= Gitlab::ReferenceExtractor.
- new(project, current_user || author)
+ new(project, current_user)
if text
extractor.analyze(text, author: author)
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb
index 239bd17a035..6bb0a72d30e 100644
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -237,7 +237,7 @@ class TodoService
end
def filter_mentioned_users(project, target, author)
- mentioned_users = target.mentioned_users
+ mentioned_users = target.mentioned_users(author)
mentioned_users = reject_users_without_access(mentioned_users, project, target)
mentioned_users.delete(author)
mentioned_users.uniq
diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 820f40f81a9..46b260e7033 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -127,9 +127,15 @@ The chosen OmniAuth provider is now active and can be used to sign in to GitLab
This setting was introduced with version 8.7 of GitLab
You can define which OmniAuth providers you want to be `external` so that all users
-creating accounts via these providers will not be able to have access to internal
-projects. You will need to use the full name of the provider, like `google_oauth2`
-for Google. Refer to the examples for the full names of the supported providers.
+**creating accounts, or logging in via these providers** will not be able to have
+access to internal projects. You will need to use the full name of the provider,
+like `google_oauth2` for Google. Refer to the examples for the full names of the
+supported providers.
+
+>**Note:**
+If you decide to remove an OmniAuth provider from the external providers list
+you will need to manually update the users that use this method to login, if you
+want their accounts to be upgraded to full internal accounts.
**For Omnibus installations**
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index 7af75a9cc4c..0a91d3918d5 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -56,8 +56,6 @@ module Gitlab
if external_provider? && @user
@user.external = true
- elsif @user
- @user.external = false
end
@user
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index dd113d73342..1fca8a13037 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
end
context 'provider was external, now has been removed' do
- it 'should mark existing user internal' do
+ it 'should not mark external user as internal' do
create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
oauth_user.save
expect(gl_user).to be_valid
- expect(gl_user.external).to be_falsey
+ expect(gl_user.external).to be_truthy
+ end
+ end
+
+ context 'provider is not external' do
+ context 'when adding a new OAuth identity' do
+ it 'should not promote an external user to internal' do
+ user = create(:user, email: 'john@mail.com', external: true)
+ user.identities.create(provider: provider, extern_uid: uid)
+
+ oauth_user.save
+ expect(gl_user).to be_valid
+ expect(gl_user.external).to be_truthy
+ end
end
end
diff --git a/spec/models/concerns/mentionable_spec.rb b/spec/models/concerns/mentionable_spec.rb
index cb33edde820..0344dae8b5d 100644
--- a/spec/models/concerns/mentionable_spec.rb
+++ b/spec/models/concerns/mentionable_spec.rb
@@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
it { is_expected.not_to include(user2) }
end
+ describe '#referenced_mentionables' do
+ context 'with an issue on a private project' do
+ let(:project) { create(:empty_project, :public) }
+ let(:issue) { create(:issue, project: project) }
+ let(:public_issue) { create(:issue, project: project) }
+ let(:private_project) { create(:empty_project, :private) }
+ let(:private_issue) { create(:issue, project: private_project) }
+ let(:user) { create(:user) }
+
+ def referenced_issues(current_user)
+ text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}"
+
+ issue.referenced_mentionables(current_user, text)
+ end
+
+ context 'when the current user can see the issue' do
+ before { private_project.team << [user, Gitlab::Access::DEVELOPER] }
+
+ it 'includes the reference' do
+ expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue)
+ end
+ end
+
+ context 'when the current user cannot see the issue' do
+ it 'does not include the reference' do
+ expect(referenced_issues(user)).to contain_exactly(public_issue)
+ end
+ end
+
+ context 'when there is no current user' do
+ it 'does not include the reference' do
+ expect(referenced_issues(nil)).to contain_exactly(public_issue)
+ end
+ end
+ end
+ end
+
describe '#create_cross_references!' do
let(:project) { create(:project) }
let(:author) { double('author') }
View Lorry Controller Status