diff options
3 files changed, 47 insertions, 1 deletions
diff --git a/app/controllers/concerns/milestone_actions.rb b/app/controllers/concerns/milestone_actions.rb index 8b8b7db72f8..1ead631663e 100644 --- a/app/controllers/concerns/milestone_actions.rb +++ b/app/controllers/concerns/milestone_actions.rb @@ -20,7 +20,7 @@ module MilestoneActions format.html { redirect_to milestone_redirect_path } format.json do render json: tabs_json("shared/milestones/_participants_tab", { - users: @milestone.participants # rubocop:disable Gitlab/ModuleWithInstanceVariables + users: @milestone.issue_participants_visible_by_user(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables }) end end diff --git a/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml b/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml new file mode 100644 index 00000000000..574f9f8283c --- /dev/null +++ b/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml @@ -0,0 +1,5 @@ +--- +title: Display only participants that user has permission to see on milestone page +merge_request: +author: +type: security diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb index 767cee7d54a..b3419ffa4fe 100644 --- a/spec/controllers/projects/milestones_controller_spec.rb +++ b/spec/controllers/projects/milestones_controller_spec.rb @@ -244,4 +244,45 @@ describe Projects::MilestonesController do end end end + + context '#participants' do + render_views + + context "when guest user" do + let(:issue_assignee) { create(:user) } + let(:guest_user) { create(:user) } + + before do + project.add_guest(guest_user) + sign_in(guest_user) + issue.update(assignee_ids: issue_assignee.id) + end + + context "when issue is not confidential" do + it 'shows milestone participants' do + params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json } + get :participants, params: params + + expect(response).to have_gitlab_http_status(200) + expect(response.content_type).to eq 'application/json' + expect(json_response['html']).to include(issue_assignee.name) + end + end + + context "when issue is confidential" do + before do + issue.update(confidential: true) + end + + it 'shows no milestone participants' do + params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json } + get :participants, params: params + + expect(response).to have_gitlab_http_status(200) + expect(response.content_type).to eq 'application/json' + expect(json_response['html']).not_to include(issue_assignee.name) + end + end + end + end end |