14 files changed, 178 insertions, 40 deletions

diff --git a/spec/controllers/projects/tags_controller_spec.rb b/spec/controllers/projects/tags_controller_spec.rb
index f077b4c99fc..7e5237facf6 100644
--- a/spec/controllers/projects/tags_controller_spec.rb
+++ b/spec/controllers/projects/tags_controller_spec.rb
@@ -13,7 +13,7 @@ describe Projects::TagsController do
     end
 
     it 'returns the tags for the page' do
-      expect(assigns(:tags).map(&:name)).to eq(['v1.1.0', 'v1.0.0'])
+      expect(assigns(:tags).map(&:name)).to include('v1.1.0', 'v1.0.0')
     end
 
     it 'returns releases matching those tags' do
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index ff0259cd40d..d16201fff5a 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -837,8 +837,7 @@ describe ProjectsController do
       get :refs, params: { namespace_id: project.namespace, id: project, sort: 'updated_desc' }
 
       expect(json_response['Branches']).to include('master')
-      expect(json_response['Tags'].first).to eq('v1.1.0')
-      expect(json_response['Tags'].last).to eq('v1.0.0')
+      expect(json_response['Tags']).to include('v1.0.0')
       expect(json_response['Commits']).to be_nil
     end
 
diff --git a/spec/features/projects/tags/user_edits_tags_spec.rb b/spec/features/projects/tags/user_edits_tags_spec.rb
index 63f97eeb4e0..b1cb7685f63 100644
--- a/spec/features/projects/tags/user_edits_tags_spec.rb
+++ b/spec/features/projects/tags/user_edits_tags_spec.rb
@@ -21,23 +21,21 @@ describe 'Project > Tags', :js do
 
     context 'page with tags list' do
       it 'shows tag name' do
-        page.within first('.tags > .content-list > li') do
-          expect(page.find('.row-main-content')).to have_content 'v1.1.0 Version 1.1.0'
-        end
+        expect(page).to have_content 'v1.1.0 Version 1.1.0'
       end
 
       it 'shows tag edit button' do
-        page.within first('.tags > .content-list > li') do
-          edit_btn = page.find('.row-fixed-content.controls a.btn-edit')
+        page.within '.tags > .content-list' do
+          edit_btn = page.find("li > .row-fixed-content.controls a.btn-edit[href='/#{project.full_path}/-/tags/v1.1.0/release/edit']")
 
-          expect(edit_btn['href']).to have_content '/tags/v1.1.0/release/edit'
+          expect(edit_btn['href']).to end_with("/#{project.full_path}/-/tags/v1.1.0/release/edit")
         end
       end
     end
 
     context 'edit tag release notes' do
       before do
-        find('.tags > .content-list > li:first-child .row-fixed-content.controls a.btn-edit').click
+        page.find("li > .row-fixed-content.controls a.btn-edit[href='/#{project.full_path}/-/tags/v1.1.0/release/edit']").click
       end
 
       it 'shows tag name header' do
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb
index 90e48f3c230..47f32e0113c 100644
--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -202,13 +202,13 @@ describe 'Project' do
       expect(page).not_to have_content('Forked from')
     end
 
-    it 'shows the name of the deleted project when the source was deleted', :sidekiq_might_not_need_inline do
+    it 'does not show the name of the deleted project when the source was deleted', :sidekiq_might_not_need_inline do
       forked_project
       Projects::DestroyService.new(base_project, base_project.owner).execute
 
       visit project_path(forked_project)
 
-      expect(page).to have_content("Forked from #{base_project.full_name} (deleted)")
+      expect(page).to have_content('Forked from an inaccessible project')
     end
 
     context 'a fork of a fork' do
diff --git a/spec/features/tags/developer_deletes_tag_spec.rb b/spec/features/tags/developer_deletes_tag_spec.rb
index 0fc62a578f9..50eac8ddaed 100644
--- a/spec/features/tags/developer_deletes_tag_spec.rb
+++ b/spec/features/tags/developer_deletes_tag_spec.rb
@@ -17,7 +17,7 @@ describe 'Developer deletes tag' do
     it 'deletes the tag' do
       expect(page).to have_content 'v1.1.0'
 
-      delete_first_tag
+      delete_tag 'v1.1.0'
 
       expect(page).not_to have_content 'v1.1.0'
     end
@@ -46,15 +46,15 @@ describe 'Developer deletes tag' do
     end
 
     it 'shows the error message' do
-      delete_first_tag
+      delete_tag 'v1.1.0'
 
       expect(page).to have_content('Do not delete tags')
     end
   end
 
-  def delete_first_tag
+  def delete_tag(tag)
     page.within('.content') do
-      accept_confirm { first('.btn-remove').click }
+      accept_confirm { find("li > .row-fixed-content.controls a.btn-remove[href='/#{project.full_path}/-/tags/#{tag}']").click }
     end
   end
 end
diff --git a/spec/features/tags/developer_updates_tag_spec.rb b/spec/features/tags/developer_updates_tag_spec.rb
index 0cdd953b9ae..167079c3f31 100644
--- a/spec/features/tags/developer_updates_tag_spec.rb
+++ b/spec/features/tags/developer_updates_tag_spec.rb
@@ -15,9 +15,7 @@ describe 'Developer updates tag' do
 
   context 'from the tags list page' do
     it 'updates the release notes' do
-      page.within(first('.content-list .controls')) do
-        click_link 'Edit release notes'
-      end
+      find("li > .row-fixed-content.controls a.btn-edit[href='/#{project.full_path}/-/tags/v1.1.0/release/edit']").click
 
       fill_in 'release_description', with: 'Awesome release notes'
       click_button 'Save changes'
diff --git a/spec/finders/tags_finder_spec.rb b/spec/finders/tags_finder_spec.rb
index e9f29ab2441..582d82bbf79 100644
--- a/spec/finders/tags_finder_spec.rb
+++ b/spec/finders/tags_finder_spec.rb
@@ -95,24 +95,25 @@ describe TagsFinder do
     end
 
     context 'filter and sort' do
-      it 'filters tags by name and sorts by recently_updated' do
-        params = { sort: 'updated_desc', search: 'v1' }
-        tags_finder = described_class.new(repository, params)
+      let(:tags_to_compare) { %w[v1.0.0 v1.1.0] }
+      subject { described_class.new(repository, params).execute.select { |tag| tags_to_compare.include?(tag.name) } }
 
-        result = tags_finder.execute
+      context 'when sort by updated_desc' do
+        let(:params) { { sort: 'updated_desc', search: 'v1' } }
 
-        expect(result.first.name).to eq('v1.1.0')
-        expect(result.count).to eq(2)
+        it 'filters tags by name' do
+          expect(subject.first.name).to eq('v1.1.0')
+          expect(subject.count).to eq(2)
+        end
       end
 
-      it 'filters tags by name and sorts by last_updated' do
-        params = { sort: 'updated_asc', search: 'v1' }
-        tags_finder = described_class.new(repository, params)
-
-        result = tags_finder.execute
+      context 'when sort by updated_asc' do
+        let(:params) { { sort: 'updated_asc', search: 'v1' } }
 
-        expect(result.first.name).to eq('v1.0.0')
-        expect(result.count).to eq(2)
+        it 'filters tags by name' do
+          expect(subject.first.name).to eq('v1.0.0')
+          expect(subject.count).to eq(2)
+        end
       end
     end
   end
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb
index 35e99d2586e..66af26bc51c 100644
--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
 
       expect(reference_filter(act).to_html).to eq exp
     end
+
+    context 'when group name has HTML entities' do
+      let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
+
+      it 'escapes the HTML entities' do
+        expect(result.text)
+          .to eq "See #{group_label.name} in #{another_project.full_name}"
+      end
+    end
   end
 
   describe 'cross-project / same-group_label complete reference' do
diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
index 873728f9909..1b28e26a7e8 100644
--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -24,7 +24,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
       '_html' => '<p>perfectly ordinary html</p>',
       'cached_markdown_version' => 12345,
       'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'issue_ids' => [1, 2, 3],
+      'merge_request_ids' => [1, 2, 3],
+      'note_ids' => [1, 2, 3]
     }
   end
 
diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb
index cf9100eb6cf..9e300418ade 100644
--- a/spec/models/repository_spec.rb
+++ b/spec/models/repository_spec.rb
@@ -66,14 +66,16 @@ describe Repository do
   end
 
   describe 'tags_sorted_by' do
+    let(:tags_to_compare) { %w[v1.0.0 v1.1.0] }
+
     context 'name_desc' do
-      subject { repository.tags_sorted_by('name_desc').map(&:name) }
+      subject { repository.tags_sorted_by('name_desc').map(&:name) & tags_to_compare }
 
       it { is_expected.to eq(['v1.1.0', 'v1.0.0']) }
     end
 
     context 'name_asc' do
-      subject { repository.tags_sorted_by('name_asc').map(&:name) }
+      subject { repository.tags_sorted_by('name_asc').map(&:name) & tags_to_compare }
 
       it { is_expected.to eq(['v1.0.0', 'v1.1.0']) }
     end
@@ -115,7 +117,7 @@ describe Repository do
       context 'annotated tag pointing to a blob' do
         let(:annotated_tag_name) { 'annotated-tag' }
 
-        subject { repository.tags_sorted_by('updated_asc').map(&:name) }
+        subject { repository.tags_sorted_by('updated_asc').map(&:name) & (tags_to_compare + [annotated_tag_name]) }
 
         before do
           options = { message: 'test tag message\n',
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index f1447536e0f..cda2dd7d2f4 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -49,6 +49,8 @@ shared_examples 'languages and percentages JSON response' do
 end
 
 describe API::Projects do
+  include ProjectForksHelper
+
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -1163,6 +1165,18 @@ describe API::Projects do
         expect(json_response.keys).not_to include('permissions')
       end
 
+      context 'the project is a public fork' do
+        it 'hides details of a public fork parent' do
+          public_project = create(:project, :repository, :public)
+          fork = fork_project(public_project)
+
+          get api("/projects/#{fork.id}")
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to be_nil
+        end
+      end
+
       context 'and the project has a private repository' do
         let(:project) { create(:project, :repository, :public, :repository_private) }
         let(:protected_attributes) { %w(default_branch ci_config_path) }
@@ -1479,6 +1493,28 @@ describe API::Projects do
         end
       end
 
+      context 'the project is a fork' do
+        it 'shows details of a visible fork parent' do
+          fork = fork_project(project, user)
+
+          get api("/projects/#{fork.id}", user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to include('id' => project.id)
+        end
+
+        it 'hides details of a hidden fork parent' do
+          fork = fork_project(project, user)
+          fork_user = create(:user)
+          fork.team.add_developer(fork_user)
+
+          get api("/projects/#{fork.id}", fork_user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to be_nil
+        end
+      end
+
       describe 'permissions' do
         context 'all projects' do
           before do
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index 3c6ec631664..dca87d5e4ce 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -7,6 +7,7 @@ describe API::Tags do
   let(:guest) { create(:user).tap { |u| project.add_guest(u) } }
   let(:project) { create(:project, :repository, creator: user, path: 'my.project') }
   let(:tag_name) { project.repository.find_tag('v1.1.0').name }
+  let(:tag_message) { project.repository.find_tag('v1.1.0').message }
 
   let(:project_id) { project.id }
   let(:current_user) { nil }
@@ -75,7 +76,7 @@ describe API::Tags do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to match_response_schema('public_api/v4/tags')
         expect(response).to include_pagination_headers
-        expect(json_response.first['name']).to eq(tag_name)
+        expect(json_response.map { |r| r['name'] }).to include(tag_name)
       end
 
       context 'when repository is disabled' do
@@ -135,9 +136,10 @@ describe API::Tags do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to match_response_schema('public_api/v4/tags')
         expect(response).to include_pagination_headers
-        expect(json_response.first['name']).to eq(tag_name)
-        expect(json_response.first['message']).to eq('Version 1.1.0')
-        expect(json_response.first['release']['description']).to eq(description)
+
+        expected_tag = json_response.find { |r| r['name'] == tag_name }
+        expect(expected_tag['message']).to eq(tag_message)
+        expect(expected_tag['release']['description']).to eq(description)
       end
     end
   end
diff --git a/spec/views/projects/_home_panel.html.haml_spec.rb b/spec/views/projects/_home_panel.html.haml_spec.rb
index 4d5b369e88e..9956144b601 100644
--- a/spec/views/projects/_home_panel.html.haml_spec.rb
+++ b/spec/views/projects/_home_panel.html.haml_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe 'projects/_home_panel' do
+  include ProjectForksHelper
+
   context 'notifications' do
     let(:project) { create(:project) }
 
@@ -144,4 +146,36 @@ describe 'projects/_home_panel' do
       end
     end
   end
+
+  context 'forks' do
+    let(:source_project) { create(:project, :repository) }
+    let(:project) { fork_project(source_project) }
+    let(:user) { create(:user) }
+
+    before do
+      assign(:project, project)
+
+      allow(view).to receive(:current_user).and_return(user)
+    end
+
+    context 'user can read fork source' do
+      it 'shows the forked-from project' do
+        allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true)
+
+        render
+
+        expect(rendered).to have_content("Forked from #{source_project.full_name}")
+      end
+    end
+
+    context 'user cannot read fork source' do
+      it 'does not show the forked-from project' do
+        allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false)
+
+        render
+
+        expect(rendered).to have_content("Forked from an inaccessible project")
+      end
+    end
+  end
 end
diff --git a/spec/views/projects/edit.html.haml_spec.rb b/spec/views/projects/edit.html.haml_spec.rb
index f576093ab45..40927a22dc4 100644
--- a/spec/views/projects/edit.html.haml_spec.rb
+++ b/spec/views/projects/edit.html.haml_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 
 describe 'projects/edit' do
   include Devise::Test::ControllerHelpers
+  include ProjectForksHelper
 
   let(:project) { create(:project) }
   let(:user) { create(:admin) }
@@ -26,4 +27,59 @@ describe 'projects/edit' do
       expect(rendered).not_to have_content('Export project')
     end
   end
+
+  context 'forking' do
+    before do
+      assign(:project, project)
+
+      allow(view).to receive(:current_user).and_return(user)
+    end
+
+    context 'project is not a fork' do
+      it 'hides the remove fork relationship settings' do
+        render
+
+        expect(rendered).not_to have_content('Remove fork relationship')
+      end
+    end
+
+    context 'project is a fork' do
+      let(:source_project) { create(:project) }
+      let(:project) { fork_project(source_project) }
+
+      it 'shows the remove fork relationship settings to an authorized user' do
+        allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(true)
+
+        render
+
+        expect(rendered).to have_content('Remove fork relationship')
+      end
+
+      it 'hides the fork relationship settings from an unauthorized user' do
+        allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(false)
+
+        render
+
+        expect(rendered).not_to have_content('Remove fork relationship')
+      end
+
+      it 'hides the fork source from an unauthorized user' do
+        allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false)
+
+        render
+
+        expect(rendered).to have_content('Remove fork relationship')
+        expect(rendered).not_to have_content(source_project.full_name)
+      end
+
+      it 'shows the fork source to an authorized user' do
+        allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true)
+
+        render
+
+        expect(rendered).to have_content('Remove fork relationship')
+        expect(rendered).to have_content(source_project.full_name)
+      end
+    end
+  end
 end