From 75d41a3657fc32dbc4c783ddd8af951105e8c1df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Coutable?= Date: Tue, 12 Jan 2016 18:10:06 +0100 Subject: Show referenced MR in issues only when the current viewer can access it --- CHANGELOG | 1 + app/controllers/projects/issues_controller.rb | 2 +- app/models/issue.rb | 4 +- features/project/merge_requests/notes.feature | 25 +++++++++ features/steps/project/merge_requests/notes.rb | 71 ++++++++++++++++++++++++++ 5 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 features/project/merge_requests/notes.feature create mode 100644 features/steps/project/merge_requests/notes.rb diff --git a/CHANGELOG b/CHANGELOG index ab34661ce05..9f3dac10aad 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -38,6 +38,7 @@ v 8.4.0 (unreleased) - Ajax filter by message for commits page - API: Add support for deleting a tag via the API (Robert Schilling) - Allow subsequent validations in CI Linter + - Show referenced MR in issues only when the current viewer can access it v 8.3.3 - Preserve CE behavior with JIRA integration by only calling API if URL is set diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index b59b52291fb..f476afb2d92 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController @note = @project.notes.new(noteable: @issue) @notes = @issue.notes.nonawards.with_associations.fresh @noteable = @issue - @merge_requests = @issue.referenced_merge_requests + @merge_requests = @issue.referenced_merge_requests(current_user) respond_with(@issue) end diff --git a/app/models/issue.rb b/app/models/issue.rb index f52e47f3e62..7beba984608 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base reference end - def referenced_merge_requests + def referenced_merge_requests(current_user = nil) Gitlab::ReferenceExtractor.lazily do [self, *notes].flat_map do |note| - note.all_references.merge_requests + note.all_references(current_user).merge_requests end end.sort_by(&:iid) end diff --git a/features/project/merge_requests/notes.feature b/features/project/merge_requests/notes.feature new file mode 100644 index 00000000000..cf337a8fe28 --- /dev/null +++ b/features/project/merge_requests/notes.feature @@ -0,0 +1,25 @@ +@project_merge_requests +Feature: Project Merge Requests Notes + Background: + Given I sign in as "Mary Jane" + And I own public project "Public Shop" + And project "Public Shop" has "Public Issue 01" open issue + And I logout + And I sign in as "John Doe" + And I own private project "Private Library" + And project "Private Library" has "Private MR 01" open merge request + And I visit merge request page "Private MR 01" + And I leave a comment with link to issue "Public Issue 01" + And I logout + + @javascript + Scenario: Viewing the public issue as a lambda user + Given I sign in as "Mary Jane" + When I visit issue page "Public Issue 01" + Then I should not see any related merge requests + + @javascript + Scenario: Viewing the public issue as "John Doe" + Given I sign in as "John Doe" + When I visit issue page "Public Issue 01" + Then I should see the "Private MR 01" related merge request diff --git a/features/steps/project/merge_requests/notes.rb b/features/steps/project/merge_requests/notes.rb new file mode 100644 index 00000000000..2c3f70cdc6e --- /dev/null +++ b/features/steps/project/merge_requests/notes.rb @@ -0,0 +1,71 @@ +class Spinach::Features::ProjectMergeRequestsNotes < Spinach::FeatureSteps + include SharedAuthentication + include SharedUser + + step 'I own public project "Public Shop"' do + project = create :project, :public, name: 'Public Shop', namespace: current_user.namespace + project.team << [current_user, :master] + end + + step 'project "Public Shop" has "Public Issue 01" open issue' do + project = Project.find_by(name: 'Public Shop') + + create(:issue, + title: 'Public Issue 01', + project: project, + author: current_user, + description: '# Description header' + ) + end + + step 'I own private project "Private Library"' do + project = create :project, name: 'Private Library', namespace: current_user.namespace + project.team << [current_user, :master] + end + + step 'project "Private Library" has "Private MR 01" open merge request' do + project = Project.find_by!(name: 'Private Library') + + create(:merge_request, + title: 'Private MR 01', + source_project: project, + target_project: project, + source_branch: 'fix', + target_branch: 'master', + author: current_user, + description: '# Description header' + ) + end + + step 'I visit merge request page "Private MR 01"' do + mr = MergeRequest.find_by(title: "Private MR 01") + visit namespace_project_merge_request_path(mr.target_project.namespace, mr.target_project, mr) + end + + step 'I leave a comment with link to issue "Public Issue 01"' do + issue = Issue.find_by!(title: 'Public Issue 01') + + page.within(".js-main-target-form") do + fill_in "note[note]", with: namespace_project_issue_url(issue.project.namespace, issue.project, issue) + click_button "Add Comment" + end + end + + step 'I visit issue page "Public Issue 01"' do + issue = Issue.find_by(title: "Public Issue 01") + visit namespace_project_issue_path(issue.project.namespace, issue.project, issue) + end + + step 'I should not see any related merge requests' do + page.within '.issue-details' do + expect(page).not_to have_content('.merge-requests') + end + end + + step 'I should see the "Private MR 01" related merge request' do + page.within '.merge-requests' do + expect(page).to have_content("1 Related Merge Request") + expect(page).to have_content("Private MR 01") + end + end +end -- cgit v1.2.1