Commit information visible through release atom endpoint for guest users

Merge branch 'security-469367-commit-info-visible-though-atom-17-2' into '17-2-stable-ee' See merge request gitlab-org/security/gitlab!4438 Changelog: security

Commit information visible through release atom endpoint for guest users
3944f5b9 · Anna Vovchenko · GitLab Release Tools Bot · af196fe5 · 3944f5b9 · 3944f5b9
Commit 3944f5b9 authored 5 months ago by Anna Vovchenko Committed by GitLab Release Tools Bot 5 months ago
--- a/app/views/projects/releases/_release.atom.builder
+++ b/app/views/projects/releases/_release.atom.builder
@@ -9,7 +9,7 @@ xml.entry do
  xml.id        release_url
  xml.link      href: release_url
  xml.title     truncate(release.name, length: 160)
-  xml.summary   strip_signature(release.commit.message)
+  xml.summary   strip_signature(release.commit.message) if can?(current_user, :read_code, @project)
  xml.content   markdown_field(release, :description), type: 'html'
  xml.updated   release.updated_at.xmlschema
  xml.published release.released_at.xmlschema

--- a/spec/requests/projects/releases_controller_spec.rb
+++ b/spec/requests/projects/releases_controller_spec.rb
@@ -92,5 +92,54 @@
        end
      end
    end
+
+    context 'when user has permissions to read code' do
+      let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
+
+      before do
+        login_as(user)
+      end
+
+      it 'shows commit details in the atom feed' do
+        get(project_releases_url(project, format: :atom))
+
+        expect(response.body).to include(release.commit.message)
+      end
+    end
+
+    context 'when user doesn\'t have permissions to read code' do
+      let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
+      let_it_be(:new_user) { create(:user, guest_of: project) }
+
+      before do
+        login_as(new_user)
+      end
+
+      it 'dosn\'t show commit details in the atom feed' do
+        get(project_releases_url(project, format: :atom))
+
+        doc = Hash.from_xml(response.body)
+
+        expect(response.body).not_to include(release.commit.message)
+        expect(doc["feed"]["entry"]["summary"]).to be_nil
+      end
+    end
+
+    context 'when the project is public with private repository and user is unauthenticated' do
+      let_it_be(:public_project) do
+        create(:project, :repository, :public, repository_access_level: ProjectFeature::PRIVATE)
+      end
+
+      let_it_be(:release) { create(:release, project: public_project, tag: 'v11.9.0-rc2' ) }
+
+      it 'dosn\'t show commit details in the atom feed' do
+        get(project_releases_url(public_project, format: :atom))
+
+        doc = Hash.from_xml(response.body)
+
+        expect(response.body).not_to include(release.commit.message)
+        expect(doc["feed"]["entry"]["summary"]).to be_nil
+      end
+    end
  end
 end