Prevent private project name and namespace from leaking in the new MR view

Fixes #15591. Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent private project name and namespace from leaking in the new MR view
cd0750e0 · Rémy Coutable · Robert Speicher · b79c5c40 · cd0750e0 · cd0750e0
Commit cd0750e0 authored 8 years ago by Rémy Coutable Committed by Robert Speicher 8 years ago
--- a/app/services/merge_requests/build_service.rb
+++ b/app/services/merge_requests/build_service.rb
@@ -7,6 +7,9 @@ module MergeRequests
      merge_request.can_be_created = false
      merge_request.compare_commits = []
      merge_request.source_project = project unless merge_request.source_project
+
+      merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
      merge_request.target_project ||= (project.forked_from_project || project)
      merge_request.target_branch ||= merge_request.target_project.default_branch
  

--- a/spec/features/merge_requests/create_new_mr_spec.rb
+++ b/spec/features/merge_requests/create_new_mr_spec.rb
@@ -30,4 +30,14 @@ feature 'Create New Merge Request', feature: true, js: true do
  
    expect(page).to have_content 'git checkout -b orphaned-branch origin/orphaned-branch'
  end
+
+  context 'when target project cannot be viewed by the current user' do
+    it 'does not leak the private project name & namespace' do
+      private_project = create(:project, :private)
+
+      visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
+
+      expect(page).not_to have_content private_project.to_reference
+    end
+  end
 end