Merge branch 'security-56224-11-7' into '11-7-stable'

Fix related branches visible in issues for guests See merge request gitlab/gitlabhq!3020

Merge branch 'security-56224-11-7' into '11-7-stable'
f6474895 · GitLab Release Tools Bot · 90578991 · 53e34ced · f6474895 · f6474895
Commit f6474895 authored 5 years ago by GitLab Release Tools Bot
--- a/app/assets/javascripts/issue.js
+++ b/app/assets/javascripts/issue.js
@@ -16,7 +16,9 @@ export default class Issue {
    Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
  
    Issue.initMergeRequests();
-    Issue.initRelatedBranches();
+    if (document.querySelector('#related-branches')) {
+      Issue.initRelatedBranches();
+    }
  
    this.closeButtons = $('a.btn-close');
    this.reopenButtons = $('a.btn-reopen');

--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -38,6 +38,7 @@ class Projects::IssuesController < Projects::ApplicationController
  before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
  
  before_action :authorize_import_issues!, only: [:import_csv]
+  before_action :authorize_download_code!, only: [:related_branches]
  
  before_action :set_suggested_issues_feature_flags, only: [:new]
  

--- a/app/views/projects/issues/show.html.haml
+++ b/app/views/projects/issues/show.html.haml
@@ -74,8 +74,9 @@
    #merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
      // This element is filled in using JavaScript.
  
-    #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
-      // This element is filled in using JavaScript.
+    - if can?(current_user, :download_code, @project)
+      #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
+        // This element is filled in using JavaScript.
  
  .content-block.emoji-block.emoji-block-sticky
    .row

--- a/changelogs/unreleased/security-56224.yml
+++ b/changelogs/unreleased/security-56224.yml
+---
+title: Hide "related branches" when user does not have permission
+merge_request:
+author:
+type: security
--- a/spec/features/issues/user_creates_branch_and_merge_request_spec.rb
+++ b/spec/features/issues/user_creates_branch_and_merge_request_spec.rb
 require 'rails_helper'
  
 describe 'User creates branch and merge request on issue page', :js do
+  let(:membership_level) { :developer }
  let(:user) { create(:user) }
  let!(:project) { create(:project, :repository) }
  let(:issue) { create(:issue, project: project, title: 'Cherry-Coloured Funk') }
@@ -17,7 +18,7 @@ describe 'User creates branch and merge request on issue page', :js do
  
  context 'when signed in' do
    before do
-      project.add_developer(user)
+      project.add_user(user, membership_level)
  
      sign_in(user)
    end
@@ -167,6 +168,39 @@ describe 'User creates branch and merge request on issue page', :js do
        expect(page).not_to have_css('.create-mr-dropdown-wrap')
      end
    end
+
+    context 'when related branch exists' do
+      let!(:project) { create(:project, :repository, :private) }
+      let(:branch_name) { "#{issue.iid}-foo" }
+
+      before do
+        project.repository.create_branch(branch_name, 'master')
+
+        visit project_issue_path(project, issue)
+      end
+
+      context 'when user is developer' do
+        it 'shows related branches' do
+          expect(page).to have_css('#related-branches')
+
+          wait_for_requests
+
+          expect(page).to have_content(branch_name)
+        end
+      end
+
+      context 'when user is guest' do
+        let(:membership_level) { :guest }
+
+        it 'does not show related branches' do
+          expect(page).not_to have_css('#related-branches')
+
+          wait_for_requests
+
+          expect(page).not_to have_content(branch_name)
+        end
+      end
+    end
  end
  
  private