4 files changed, 115 insertions, 6 deletions

diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb
index 58df6f66d50..1eacae06457 100644
--- a/app/controllers/groups/milestones_controller.rb
+++ b/app/controllers/groups/milestones_controller.rb
@@ -3,14 +3,13 @@
 class Groups::MilestonesController < Groups::ApplicationController
   include MilestoneActions
 
-  before_action :group_projects
   before_action :milestone, only: [:edit, :show, :update, :merge_requests, :participants, :labels, :destroy]
   before_action :authorize_admin_milestones!, only: [:edit, :new, :create, :update, :destroy]
 
   def index
     respond_to do |format|
       format.html do
-        @milestone_states = Milestone.states_count(group_projects, [group])
+        @milestone_states = Milestone.states_count(group_projects_with_access, [group])
         @milestones = Kaminari.paginate_array(milestones).page(params[:page])
       end
       format.json do
@@ -100,13 +99,18 @@ class Groups::MilestonesController < Groups::ApplicationController
   end
 
   def legacy_milestones
-    GroupMilestone.build_collection(group, group_projects, params)
+    GroupMilestone.build_collection(group, group_projects_with_access, params)
+  end
+
+  def group_projects_with_access
+    group_projects.with_issues_available_for_user(current_user)
+      .or(group_projects.with_merge_requests_available_for_user(current_user))
   end
 
   def milestone
     @milestone =
       if params[:title]
-        GroupMilestone.build(group, group_projects, params[:title])
+        GroupMilestone.build(group, group_projects_with_access, params[:title])
       else
         group.milestones.find_by_iid(params[:id])
       end
diff --git a/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml b/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml
new file mode 100644
index 00000000000..7625655cadd
--- /dev/null
+++ b/changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml
@@ -0,0 +1,6 @@
+---
+title: Do not disclose project milestones on group milestones page when project milestones
+  access is disabled in project settings
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/groups/milestones_controller_spec.rb b/spec/controllers/groups/milestones_controller_spec.rb
index 41927907fd1..e0a3605d50a 100644
--- a/spec/controllers/groups/milestones_controller_spec.rb
+++ b/spec/controllers/groups/milestones_controller_spec.rb
@@ -3,8 +3,8 @@
 require 'spec_helper'
 
 describe Groups::MilestonesController do
-  let(:group) { create(:group) }
-  let!(:project) { create(:project, group: group) }
+  let(:group) { create(:group, :public) }
+  let!(:project) { create(:project, :public, group: group) }
   let!(:project2) { create(:project, group: group) }
   let(:user)    { create(:user) }
   let(:title) { '肯定不是中文的问题' }
@@ -63,6 +63,73 @@ describe Groups::MilestonesController do
         expect(response.body).to include(group_milestone.title)
         expect(response.body).not_to include(milestone.title)
       end
+
+      context 'when anonymous user' do
+        before do
+          sign_out(user)
+        end
+
+        it 'shows group milestones page' do
+          milestone
+
+          get :index, params: { group_id: group.to_param }
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.body).to include(milestone.title)
+        end
+      end
+
+      context 'when issues and merge requests are disabled in public project' do
+        shared_examples 'milestone not accessible' do
+          it 'does not return milestone' do
+            get :index, params: { group_id: public_group.to_param }
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(response.body).not_to include(private_milestone.title)
+          end
+        end
+
+        let!(:public_group) { create(:group, :public) }
+
+        let!(:public_project_with_private_issues_and_mrs) do
+          create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
+        end
+        let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
+
+        context 'when anonymous user' do
+          before do
+            sign_out(user)
+          end
+
+          it_behaves_like 'milestone not accessible'
+        end
+
+        context 'when non project or group member user' do
+          let(:non_member) { create(:user) }
+
+          before do
+            sign_in(non_member)
+          end
+
+          it_behaves_like 'milestone not accessible'
+        end
+
+        context 'when group member user' do
+          let(:member) { create(:user) }
+
+          before do
+            sign_in(member)
+            public_group.add_guest(member)
+          end
+
+          it 'returns the milestone' do
+            get :index, params: { group_id: public_group.to_param }
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(response.body).to include(private_milestone.title)
+          end
+        end
+      end
     end
 
     context 'as JSON' do
diff --git a/spec/requests/groups/milestones_controller_spec.rb b/spec/requests/groups/milestones_controller_spec.rb
new file mode 100644
index 00000000000..af19d931284
--- /dev/null
+++ b/spec/requests/groups/milestones_controller_spec.rb
@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Groups::MilestonesController do
+  context 'N+1 DB queries' do
+    let(:user) { create(:user) }
+    let!(:public_group) { create(:group, :public) }
+
+    let!(:public_project_with_private_issues_and_mrs) do
+      create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
+    end
+    let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
+
+    it 'avoids N+1 database queries' do
+      public_project = create(:project, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
+      create(:milestone, project: public_project)
+
+      control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) { get "/groups/#{public_group.to_param}/-/milestones.json" }.count
+
+      projects = create_list(:project, 2, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
+      projects.each do |project|
+        create(:milestone, project: project)
+      end
+
+      expect { get "/groups/#{public_group.to_param}/-/milestones.json" }.not_to exceed_all_query_limit(control_count)
+      expect(response).to have_http_status(200)
+      milestones = json_response
+
+      expect(milestones.count).to eq(3)
+      expect(milestones.map {|x| x['title']}).not_to include(private_milestone.title)
+    end
+  end
+end