Skip to content
Snippets Groups Projects
Commit f37b0cd6 authored by Alexandru Croitor's avatar Alexandru Croitor
Browse files

Hide disabled project milestones in project settings on group level

parent 7099ecf7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/groups/milestones_controller.rb
+ 8
4
View file @ f37b0cd6
@@ -3,14 +3,13 @@
class Groups::MilestonesController < Groups::ApplicationController
include MilestoneActions
 
before_action :group_projects
before_action :milestone, only: [:edit, :show, :update, :merge_requests, :participants, :labels, :destroy]
before_action :authorize_admin_milestones!, only: [:edit, :new, :create, :update, :destroy]
 
def index
respond_to do |format|
format.html do
@milestone_states = Milestone.states_count(group_projects, [group])
@milestone_states = Milestone.states_count(group_projects_with_access, [group])
@milestones = Kaminari.paginate_array(milestones).page(params[:page])
end
format.json do
@@ -100,13 +99,18 @@ class Groups::MilestonesController < Groups::ApplicationController
end
 
def legacy_milestones
GroupMilestone.build_collection(group, group_projects, params)
GroupMilestone.build_collection(group, group_projects_with_access, params)
end
def group_projects_with_access
group_projects.with_issues_available_for_user(current_user)
.or(group_projects.with_merge_requests_available_for_user(current_user))
end
 
def milestone
@milestone =
if params[:title]
GroupMilestone.build(group, group_projects, params[:title])
GroupMilestone.build(group, group_projects_with_access, params[:title])
else
group.milestones.find_by_iid(params[:id])
end
changelogs/unreleased/security-12718-project-milestones-disclosed-via-groups.yml 0 → 100644
+ 6
0
View file @ f37b0cd6
---
title: Do not disclose project milestones on group milestones page when project milestones
access is disabled in project settings
merge_request:
author:
type: security
spec/controllers/groups/milestones_controller_spec.rb
+ 69
2
View file @ f37b0cd6
@@ -3,8 +3,8 @@
require 'spec_helper'
 
describe Groups::MilestonesController do
let(:group) { create(:group) }
let!(:project) { create(:project, group: group) }
let(:group) { create(:group, :public) }
let!(:project) { create(:project, :public, group: group) }
let!(:project2) { create(:project, group: group) }
let(:user) { create(:user) }
let(:title) { '肯定不是中文的问题' }
@@ -63,6 +63,73 @@ describe Groups::MilestonesController do
expect(response.body).to include(group_milestone.title)
expect(response.body).not_to include(milestone.title)
end
context 'when anonymous user' do
before do
sign_out(user)
end
it 'shows group milestones page' do
milestone
get :index, params: { group_id: group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).to include(milestone.title)
end
end
context 'when issues and merge requests are disabled in public project' do
shared_examples 'milestone not accessible' do
it 'does not return milestone' do
get :index, params: { group_id: public_group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).not_to include(private_milestone.title)
end
end
let!(:public_group) { create(:group, :public) }
let!(:public_project_with_private_issues_and_mrs) do
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
end
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
context 'when anonymous user' do
before do
sign_out(user)
end
it_behaves_like 'milestone not accessible'
end
context 'when non project or group member user' do
let(:non_member) { create(:user) }
before do
sign_in(non_member)
end
it_behaves_like 'milestone not accessible'
end
context 'when group member user' do
let(:member) { create(:user) }
before do
sign_in(member)
public_group.add_guest(member)
end
it 'returns the milestone' do
get :index, params: { group_id: public_group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).to include(private_milestone.title)
end
end
end
end
 
context 'as JSON' do
spec/requests/groups/milestones_controller_spec.rb 0 → 100644
+ 32
0
View file @ f37b0cd6
require 'spec_helper'
describe Groups::MilestonesController do
context 'N+1 DB queries' do
let(:user) { create(:user) }
let!(:public_group) { create(:group, :public) }
let!(:public_project_with_private_issues_and_mrs) do
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
end
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
it 'avoids N+1 database queries' do
public_project = create(:project, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
create(:milestone, project: public_project)
control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) { get "/groups/#{public_group.to_param}/-/milestones.json" }.count
projects = create_list(:project, 2, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
projects.each do |project|
create(:milestone, project: project)
end
expect { get "/groups/#{public_group.to_param}/-/milestones.json" }.not_to exceed_all_query_limit(control_count)
expect(response).to have_http_status(200)
milestones = json_response
expect(milestones.count).to eq(3)
expect(milestones.map {|x| x['title']}).not_to include(private_milestone.title)
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment