summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG1
-rw-r--r--app/models/concerns/mentionable.rb2
-rw-r--r--app/services/todo_service.rb2
-rw-r--r--spec/models/concerns/mentionable_spec.rb37
4 files changed, 40 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 009268995c3..9bb03dcb13c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.8.7
- Fix privilege escalation issue with OAuth external users.
+ - Ensure references to private repos aren't shown to logged-out users.
v 8.8.6
- Fix visibility of snippets when searching.
diff --git a/app/models/concerns/mentionable.rb b/app/models/concerns/mentionable.rb
index b381d225485..2621c0fecf2 100644
--- a/app/models/concerns/mentionable.rb
+++ b/app/models/concerns/mentionable.rb
@@ -44,7 +44,7 @@ module Mentionable
end
def all_references(current_user = nil, text = nil)
- ext = Gitlab::ReferenceExtractor.new(self.project, current_user || self.author, self.author)
+ ext = Gitlab::ReferenceExtractor.new(self.project, current_user, self.author)
if text
ext.analyze(text)
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb
index 4bf4e144727..c259c2fc75f 100644
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -200,7 +200,7 @@ class TodoService
end
def filter_mentioned_users(project, target, author)
- mentioned_users = target.mentioned_users
+ mentioned_users = target.mentioned_users(author)
mentioned_users = reject_users_without_access(mentioned_users, project, target)
mentioned_users.delete(author)
mentioned_users.uniq
diff --git a/spec/models/concerns/mentionable_spec.rb b/spec/models/concerns/mentionable_spec.rb
index cb33edde820..0344dae8b5d 100644
--- a/spec/models/concerns/mentionable_spec.rb
+++ b/spec/models/concerns/mentionable_spec.rb
@@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
it { is_expected.not_to include(user2) }
end
+ describe '#referenced_mentionables' do
+ context 'with an issue on a private project' do
+ let(:project) { create(:empty_project, :public) }
+ let(:issue) { create(:issue, project: project) }
+ let(:public_issue) { create(:issue, project: project) }
+ let(:private_project) { create(:empty_project, :private) }
+ let(:private_issue) { create(:issue, project: private_project) }
+ let(:user) { create(:user) }
+
+ def referenced_issues(current_user)
+ text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}"
+
+ issue.referenced_mentionables(current_user, text)
+ end
+
+ context 'when the current user can see the issue' do
+ before { private_project.team << [user, Gitlab::Access::DEVELOPER] }
+
+ it 'includes the reference' do
+ expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue)
+ end
+ end
+
+ context 'when the current user cannot see the issue' do
+ it 'does not include the reference' do
+ expect(referenced_issues(user)).to contain_exactly(public_issue)
+ end
+ end
+
+ context 'when there is no current user' do
+ it 'does not include the reference' do
+ expect(referenced_issues(nil)).to contain_exactly(public_issue)
+ end
+ end
+ end
+ end
+
describe '#create_cross_references!' do
let(:project) { create(:project) }
let(:author) { double('author') }