Skip to content
Snippets Groups Projects
Commit 29d8b4ee authored by Sean McGivern's avatar Sean McGivern Committed by DJ Mountney
Browse files

Merge branch '29364-private-projects-mr-fix' 

Don’t show source project name when user does not have access

See merge request !2081
parent 2e8aa209
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/services/merge_requests/build_service.rb
+ 3
1
View file @ 29d8b4ee
@@ -21,7 +21,9 @@ module MergeRequests
delegate :target_branch, :source_branch, :source_project, :target_project, :compare_commits, :wip_title, :description, :errors, to: :merge_request
 
def find_source_project
source_project || project
return source_project if source_project.present? && can?(current_user, :read_project, source_project)
project
end
 
def find_target_project
changelogs/unreleased/29364-private-projects-mr-fix.yml 0 → 100644
+ 4
0
View file @ 29d8b4ee
---
title: Don’t show source project name when user does not have access
merge_request:
author:
spec/features/merge_requests/create_new_mr_spec.rb
+ 12
0
View file @ 29d8b4ee
@@ -70,6 +70,18 @@ feature 'Create New Merge Request', feature: true, js: true do
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
 
expect(page).not_to have_content private_project.path_with_namespace
expect(page).to have_content project.path_with_namespace
end
end
context 'when source project cannot be viewed by the current user' do
it 'does not leak the private project name & namespace' do
private_project = create(:project, :private)
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { source_project_id: private_project.id })
expect(page).not_to have_content private_project.path_with_namespace
expect(page).to have_content project.path_with_namespace
end
end
 
spec/services/merge_requests/build_service_spec.rb
+ 41
1
View file @ 29d8b4ee
@@ -4,6 +4,8 @@ describe MergeRequests::BuildService, services: true do
include RepoHelpers
 
let(:project) { create(:project, :repository) }
let(:source_project) { nil }
let(:target_project) { nil }
let(:user) { create(:user) }
let(:issue_confidential) { false }
let(:issue) { create(:issue, project: project, title: 'A bug', confidential: issue_confidential) }
@@ -20,7 +22,9 @@ describe MergeRequests::BuildService, services: true do
MergeRequests::BuildService.new(project, user,
description: description,
source_branch: source_branch,
target_branch: target_branch)
target_branch: target_branch,
source_project: source_project,
target_project: target_project)
end
 
before do
@@ -256,5 +260,41 @@ describe MergeRequests::BuildService, services: true do
)
end
end
context 'target_project is set and accessible by current_user' do
let(:target_project) { create(:project, :public, :repository)}
let(:commits) { Commit.decorate([commit_1], project) }
it 'sets target project correctly' do
expect(merge_request.target_project).to eq(target_project)
end
end
context 'target_project is set but not accessible by current_user' do
let(:target_project) { create(:project, :private, :repository)}
let(:commits) { Commit.decorate([commit_1], project) }
it 'sets target project correctly' do
expect(merge_request.target_project).to eq(project)
end
end
context 'source_project is set and accessible by current_user' do
let(:source_project) { create(:project, :public, :repository)}
let(:commits) { Commit.decorate([commit_1], project) }
it 'sets target project correctly' do
expect(merge_request.source_project).to eq(source_project)
end
end
context 'source_project is set but not accessible by current_user' do
let(:source_project) { create(:project, :private, :repository)}
let(:commits) { Commit.decorate([commit_1], project) }
it 'sets target project correctly' do
expect(merge_request.source_project).to eq(project)
end
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment