Skip to content
Snippets Groups Projects
Commit 8b62f95d authored by Yorick Peterse's avatar Yorick Peterse
Browse files

Merge branch '11-6-security-2799-emails' into '11-6-stable' 

Remove link after issue move when no permissions

See merge request gitlab/gitlabhq!2957
parents 7925de05 2bc55215
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/mailers/emails/issues.rb
+ 1
0
View file @ 8b62f95d
@@ -72,6 +72,7 @@ module Emails
 
@new_issue = new_issue
@new_project = new_issue.project
@can_access_project = recipient.can?(:read_project, @new_project)
mail_answer_thread(issue, issue_thread_options(updated_by_user.id, recipient.id, reason))
end
 
app/views/notify/issue_moved_email.html.haml
+ 7
4
View file @ 8b62f95d
%p
Issue was moved to another project.
%p
New issue:
= link_to project_issue_url(@new_project, @new_issue) do
= @new_issue.title
- if @can_access_project
%p
New issue:
= link_to project_issue_url(@new_project, @new_issue) do
= @new_issue.title
- else
You don't have access to the project.
app/views/notify/issue_moved_email.text.erb
+ 4
0
View file @ 8b62f95d
Issue was moved to another project.
 
<% if @can_access_project %>
New issue location:
<%= project_issue_url(@new_project, @new_issue) %>
<% else %>
You don't have access to the project.
<% end %>
changelogs/unreleased/security-2799-emails.yml 0 → 100644
+ 5
0
View file @ 8b62f95d
---
title: Don't show new issue link after move when a user does not have permissions
merge_request:
author:
type: security
spec/mailers/notify_spec.rb
+ 43
13
View file @ 8b62f95d
@@ -194,23 +194,53 @@ describe Notify do
let(:new_issue) { create(:issue) }
subject { described_class.issue_moved_email(recipient, issue, new_issue, current_user) }
 
it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do
let(:model) { issue }
end
it_behaves_like 'it should show Gmail Actions View Issue link'
it_behaves_like 'an unsubscribeable thread'
context 'when a user has permissions to access the new issue' do
before do
new_issue.project.add_developer(recipient)
end
it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do
let(:model) { issue }
end
it_behaves_like 'it should show Gmail Actions View Issue link'
it_behaves_like 'an unsubscribeable thread'
it 'contains description about action taken' do
is_expected.to have_body_text 'Issue was moved to another project'
end
it 'has the correct subject and body' do
new_issue_url = project_issue_path(new_issue.project, new_issue)
 
it 'contains description about action taken' do
is_expected.to have_body_text 'Issue was moved to another project'
aggregate_failures do
is_expected.to have_referable_subject(issue, reply: true)
is_expected.to have_body_text(new_issue_url)
is_expected.to have_body_text(project_issue_path(project, issue))
end
end
it 'contains the issue title' do
is_expected.to have_body_text new_issue.title
end
end
 
it 'has the correct subject and body' do
new_issue_url = project_issue_path(new_issue.project, new_issue)
context 'when a user does not permissions to access the new issue' do
it 'has the correct subject and body' do
new_issue_url = project_issue_path(new_issue.project, new_issue)
 
aggregate_failures do
is_expected.to have_referable_subject(issue, reply: true)
is_expected.to have_body_text(new_issue_url)
is_expected.to have_body_text(project_issue_path(project, issue))
aggregate_failures do
is_expected.to have_referable_subject(issue, reply: true)
is_expected.not_to have_body_text(new_issue_url)
is_expected.to have_body_text(project_issue_path(project, issue))
end
end
it 'does not contain the issue title' do
is_expected.not_to have_body_text new_issue.title
end
it 'contains information about missing permissions' do
is_expected.to have_body_text "You don't have access to the project."
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment