Fix internal snippets can be searched by anyone

8f9b64c7 · Douglas Barbosa Alexandre · 1d9bbb0b · 8f9b64c7 · 8f9b64c7 · 8f9b64c7
Commit 8f9b64c7 authored 8 years ago by Douglas Barbosa Alexandre
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -135,7 +135,10 @@ class Snippet < ActiveRecord::Base
    end
    def accessible_to(user)
-      where('visibility_level IN (?) OR author_id = ?', [Snippet::INTERNAL, Snippet::PUBLIC], user)
+      visibility_levels = [Snippet::PUBLIC]
+      visibility_levels << Snippet::INTERNAL if user
+      where('visibility_level IN (?) OR author_id = ?', visibility_levels, user)
    end
  end
 end
--- a/spec/models/snippet_spec.rb
+++ b/spec/models/snippet_spec.rb
@@ -72,7 +72,7 @@ describe Snippet, models: true do
    end
  end
-  describe '#search_code' do
+  describe '.search_code' do
    let(:snippet) { create(:snippet, content: 'class Foo; end') }
    it 'returns snippets with matching content' do
@@ -88,6 +88,26 @@ describe Snippet, models: true do
    end
  end
+  describe '.accessible_to' do
+    let(:author) { create(:author) }
+    let(:user) { create(:user) }
+    let!(:public_snippet)   { create(:snippet, :public) }
+    let!(:internal_snippet) { create(:snippet, :internal) }
+    let!(:private_snippet)  { create(:snippet, :private, author: author) }
+    it 'returns only public snippets when user is nil' do
+      expect(described_class.accessible_to(nil)).to eq [public_snippet]
+    end
+    it 'returns only public, and internal snippets when user is not nil' do
+      expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet]
+    end
+    it 'returns snippets where the user is the author' do
+      expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet]
+    end
+  end
  describe '#participants' do
    let(:project) { create(:project, :public) }
    let(:snippet) { create(:snippet, content: 'foo', project: project) }

--- a/spec/services/search/snippet_service_spec.rb
+++ b/spec/services/search/snippet_service_spec.rb
+require 'spec_helper'
+describe Search::SnippetService, services: true do
+  let(:author) { create(:author) }
+  let(:internal_user) { create(:user) }
+  let!(:public_snippet)   { create(:snippet, :public, content: 'password: XXX') }
+  let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }
+  let!(:private_snippet)  { create(:snippet, :private, content: 'password: XXX', author: author) }
+  describe '#execute' do
+    context 'unauthenticated' do
+      it 'should return public snippets only' do
+        search = described_class.new(nil, search: 'password')
+        results = search.execute
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet]
+      end
+    end
+    context 'authenticated' do
+      it 'should return only public & internal snippets' do
+        search = described_class.new(internal_user, search: 'password')
+        results = search.execute
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet]
+      end
+      it 'should return public, internal and private snippets for author' do
+        search = described_class.new(author, search: 'password')
+        results = search.execute
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet]
+      end
+    end
+  end
+end