Skip to content
Snippets Groups Projects
Commit fa828100 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'security-469367-commit-info-visible-though-atom-17-1' into '17-1-stable-ee' 

Commit information visible through release atom endpoint for guest users

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4439



Merged-by: default avatarGitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: default avatarTomas Bulva <tbulva@gitlab.com>
Co-authored-by: default avatarAnna Vovchenko <avovchenko@gitlab.com>
parents e2ceeac5 6745cd87
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/views/projects/releases/_release.atom.builder
+ 1
1
View file @ fa828100
@@ -9,7 +9,7 @@ xml.entry do
xml.id release_url
xml.link href: release_url
xml.title truncate(release.name, length: 160)
xml.summary strip_signature(release.commit.message)
xml.summary strip_signature(release.commit.message) if can?(current_user, :read_code, @project)
xml.content markdown_field(release, :description), type: 'html'
xml.updated release.updated_at.xmlschema
xml.published release.released_at.xmlschema
spec/requests/projects/releases_controller_spec.rb
+ 49
0
View file @ fa828100
@@ -92,5 +92,54 @@
end
end
end
context 'when user has permissions to read code' do
let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
before do
login_as(user)
end
it 'shows commit details in the atom feed' do
get(project_releases_url(project, format: :atom))
expect(response.body).to include(release.commit.message)
end
end
context 'when user doesn\'t have permissions to read code' do
let_it_be(:release) { create(:release, project: project, tag: 'v11.9.0-rc2' ) }
let_it_be(:new_user) { create(:user, guest_of: project) }
before do
login_as(new_user)
end
it 'dosn\'t show commit details in the atom feed' do
get(project_releases_url(project, format: :atom))
doc = Hash.from_xml(response.body)
expect(response.body).not_to include(release.commit.message)
expect(doc["feed"]["entry"]["summary"]).to be_nil
end
end
context 'when the project is public with private repository and user is unauthenticated' do
let_it_be(:public_project) do
create(:project, :repository, :public, repository_access_level: ProjectFeature::PRIVATE)
end
let_it_be(:release) { create(:release, project: public_project, tag: 'v11.9.0-rc2' ) }
it 'dosn\'t show commit details in the atom feed' do
get(project_releases_url(public_project, format: :atom))
doc = Hash.from_xml(response.body)
expect(response.body).not_to include(release.commit.message)
expect(doc["feed"]["entry"]["summary"]).to be_nil
end
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment