Do not show moved issue ids for user not authorized

Do not show moved issue id for users that cannot read issue

Do not show moved issue ids for user not authorized
c11f7544 · Felipe Artur · b85e6215 · c11f7544 · c11f7544 · c11f7544
Commit c11f7544 authored 5 years ago by Felipe Artur
--- a/app/serializers/issue_entity.rb
+++ b/app/serializers/issue_entity.rb
@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity
  expose :discussion_locked
  expose :assignees, using: API::Entities::UserBasic
  expose :due_date
-  expose :moved_to_id
  expose :project_id
  
+  expose :moved_to_id do |issue|
+    if issue.moved_to_id.present? && can?(request.current_user, :read_issue, issue.moved_to)
+      issue.moved_to_id
+    end
+  end
+
  expose :web_url do |issue|
    project_issue_path(issue.project, issue)
  end

--- a/changelogs/unreleased/security-hide_moved_issue_id.yml
+++ b/changelogs/unreleased/security-hide_moved_issue_id.yml
+---
+title: Do not show moved issue id for users that cannot read issue
+merge_request:
+author:
+type: security
--- a/spec/serializers/issue_entity_spec.rb
+++ b/spec/serializers/issue_entity_spec.rb
@@ -17,4 +17,37 @@ describe IssueEntity do
  it 'has time estimation attributes' do
    expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent)
  end
+
+  context 'when issue got moved' do
+    let(:public_project) { create(:project, :public) }
+    let(:member) { create(:user) }
+    let(:non_member) { create(:user) }
+    let(:issue) { create(:issue, project: public_project) }
+
+    before do
+      project.add_developer(member)
+      public_project.add_developer(member)
+      Issues::MoveService.new(public_project, member).execute(issue, project)
+    end
+
+    context 'when user cannot read target project' do
+      it 'does not return moved_to_id' do
+        request = double('request', current_user: non_member)
+
+        response = described_class.new(issue, request: request).as_json
+
+        expect(response[:moved_to_id]).to be_nil
+      end
+    end
+
+    context 'when user can read target project' do
+      it 'returns moved moved_to_id' do
+        request = double('request', current_user: member)
+
+        response = described_class.new(issue, request: request).as_json
+
+        expect(response[:moved_to_id]).to eq(issue.moved_to_id)
+      end
+    end
+  end
 end