Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
7d3284f6
Commit
7d3284f6
authored
Mar 05, 2019
by
Yorick Peterse
Browse files
Options
Browse Files
Download
Plain Diff
Merge dev.gitlab.org master into GitLab.com master
parents
cb64d81b
5cdcd339
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
112 additions
and
4 deletions
+112
-4
app/models/concerns/milestoneish.rb
app/models/concerns/milestoneish.rb
+12
-0
app/views/shared/milestones/_tabs.html.haml
app/views/shared/milestones/_tabs.html.haml
+2
-2
changelogs/unreleased/security-2774-milestones-detail.yml
changelogs/unreleased/security-2774-milestones-detail.yml
+5
-0
spec/models/concerns/milestoneish_spec.rb
spec/models/concerns/milestoneish_spec.rb
+93
-2
No files found.
app/models/concerns/milestoneish.rb
View file @
7d3284f6
...
@@ -53,6 +53,18 @@ module Milestoneish
...
@@ -53,6 +53,18 @@ module Milestoneish
end
end
end
end
def
issue_participants_visible_by_user
(
user
)
User
.
joins
(
:issue_assignees
)
.
where
(
'issue_assignees.issue_id'
=>
issues_visible_to_user
(
user
).
select
(
:id
))
.
distinct
end
def
issue_labels_visible_by_user
(
user
)
Label
.
joins
(
:label_links
)
.
where
(
'label_links.target_id'
=>
issues_visible_to_user
(
user
).
select
(
:id
),
'label_links.target_type'
=>
'Issue'
)
.
distinct
end
def
sorted_issues
(
user
)
def
sorted_issues
(
user
)
issues_visible_to_user
(
user
).
preload_associations
.
sort_by_attribute
(
'label_priority'
)
issues_visible_to_user
(
user
).
preload_associations
.
sort_by_attribute
(
'label_priority'
)
end
end
...
...
app/views/shared/milestones/_tabs.html.haml
View file @
7d3284f6
...
@@ -21,11 +21,11 @@
...
@@ -21,11 +21,11 @@
%li
.nav-item
%li
.nav-item
=
link_to
'#tab-participants'
,
class:
'nav-link'
,
'data-toggle'
=>
'tab'
,
'data-endpoint'
:
milestone_participants_tab_path
(
milestone
)
do
=
link_to
'#tab-participants'
,
class:
'nav-link'
,
'data-toggle'
=>
'tab'
,
'data-endpoint'
:
milestone_participants_tab_path
(
milestone
)
do
Participants
Participants
%span
.badge.badge-pill
=
milestone
.
participants
.
count
%span
.badge.badge-pill
=
milestone
.
issue_participants_visible_by_user
(
current_user
)
.
count
%li
.nav-item
%li
.nav-item
=
link_to
'#tab-labels'
,
class:
'nav-link'
,
'data-toggle'
=>
'tab'
,
'data-endpoint'
:
milestone_labels_tab_path
(
milestone
)
do
=
link_to
'#tab-labels'
,
class:
'nav-link'
,
'data-toggle'
=>
'tab'
,
'data-endpoint'
:
milestone_labels_tab_path
(
milestone
)
do
Labels
Labels
%span
.badge.badge-pill
=
milestone
.
labels
.
count
%span
.badge.badge-pill
=
milestone
.
issue_labels_visible_by_user
(
current_user
)
.
count
-
issues
=
milestone
.
sorted_issues
(
current_user
)
-
issues
=
milestone
.
sorted_issues
(
current_user
)
-
show_project_name
=
local_assigns
.
fetch
(
:show_project_name
,
false
)
-
show_project_name
=
local_assigns
.
fetch
(
:show_project_name
,
false
)
...
...
changelogs/unreleased/security-2774-milestones-detail.yml
0 → 100644
View file @
7d3284f6
---
title
:
Display only information visible to current user on the Milestone page
merge_request
:
author
:
type
:
security
spec/models/concerns/milestoneish_spec.rb
View file @
7d3284f6
...
@@ -9,8 +9,10 @@ describe Milestone, 'Milestoneish' do
...
@@ -9,8 +9,10 @@ describe Milestone, 'Milestoneish' do
let
(
:admin
)
{
create
(
:admin
)
}
let
(
:admin
)
{
create
(
:admin
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:milestone
)
{
create
(
:milestone
,
project:
project
)
}
let
(
:milestone
)
{
create
(
:milestone
,
project:
project
)
}
let!
(
:issue
)
{
create
(
:issue
,
project:
project
,
milestone:
milestone
)
}
let
(
:label1
)
{
create
(
:label
,
project:
project
)
}
let!
(
:security_issue_1
)
{
create
(
:issue
,
:confidential
,
project:
project
,
author:
author
,
milestone:
milestone
)
}
let
(
:label2
)
{
create
(
:label
,
project:
project
)
}
let!
(
:issue
)
{
create
(
:issue
,
project:
project
,
milestone:
milestone
,
assignees:
[
member
],
labels:
[
label1
])
}
let!
(
:security_issue_1
)
{
create
(
:issue
,
:confidential
,
project:
project
,
author:
author
,
milestone:
milestone
,
labels:
[
label2
])
}
let!
(
:security_issue_2
)
{
create
(
:issue
,
:confidential
,
project:
project
,
assignees:
[
assignee
],
milestone:
milestone
)
}
let!
(
:security_issue_2
)
{
create
(
:issue
,
:confidential
,
project:
project
,
assignees:
[
assignee
],
milestone:
milestone
)
}
let!
(
:closed_issue_1
)
{
create
(
:issue
,
:closed
,
project:
project
,
milestone:
milestone
)
}
let!
(
:closed_issue_1
)
{
create
(
:issue
,
:closed
,
project:
project
,
milestone:
milestone
)
}
let!
(
:closed_issue_2
)
{
create
(
:issue
,
:closed
,
project:
project
,
milestone:
milestone
)
}
let!
(
:closed_issue_2
)
{
create
(
:issue
,
:closed
,
project:
project
,
milestone:
milestone
)
}
...
@@ -42,6 +44,95 @@ describe Milestone, 'Milestoneish' do
...
@@ -42,6 +44,95 @@ describe Milestone, 'Milestoneish' do
end
end
end
end
context
'attributes visibility'
do
using
RSpec
::
Parameterized
::
TableSyntax
let
(
:users
)
do
{
anonymous:
nil
,
non_member:
non_member
,
guest:
guest
,
member:
member
,
assignee:
assignee
}
end
let
(
:project_visibility_levels
)
do
{
public:
Gitlab
::
VisibilityLevel
::
PUBLIC
,
internal:
Gitlab
::
VisibilityLevel
::
INTERNAL
,
private:
Gitlab
::
VisibilityLevel
::
PRIVATE
}
end
describe
'#issue_participants_visible_by_user'
do
where
(
:visibility
,
:user_role
,
:result
)
do
:public
|
nil
|
[
:member
]
:public
|
:non_member
|
[
:member
]
:public
|
:guest
|
[
:member
]
:public
|
:member
|
[
:member
,
:assignee
]
:internal
|
nil
|
[]
:internal
|
:non_member
|
[
:member
]
:internal
|
:guest
|
[
:member
]
:internal
|
:member
|
[
:member
,
:assignee
]
:private
|
nil
|
[]
:private
|
:non_member
|
[]
:private
|
:guest
|
[
:member
]
:private
|
:member
|
[
:member
,
:assignee
]
end
with_them
do
before
do
project
.
update
(
visibility_level:
project_visibility_levels
[
visibility
])
end
it
'returns the proper participants'
do
user
=
users
[
user_role
]
participants
=
result
.
map
{
|
role
|
users
[
role
]
}
expect
(
milestone
.
issue_participants_visible_by_user
(
user
)).
to
match_array
(
participants
)
end
end
end
describe
'#issue_labels_visible_by_user'
do
let
(
:labels
)
do
{
label1:
label1
,
label2:
label2
}
end
where
(
:visibility
,
:user_role
,
:result
)
do
:public
|
nil
|
[
:label1
]
:public
|
:non_member
|
[
:label1
]
:public
|
:guest
|
[
:label1
]
:public
|
:member
|
[
:label1
,
:label2
]
:internal
|
nil
|
[]
:internal
|
:non_member
|
[
:label1
]
:internal
|
:guest
|
[
:label1
]
:internal
|
:member
|
[
:label1
,
:label2
]
:private
|
nil
|
[]
:private
|
:non_member
|
[]
:private
|
:guest
|
[
:label1
]
:private
|
:member
|
[
:label1
,
:label2
]
end
with_them
do
before
do
project
.
update
(
visibility_level:
project_visibility_levels
[
visibility
])
end
it
'returns the proper participants'
do
user
=
users
[
user_role
]
expected_labels
=
result
.
map
{
|
label
|
labels
[
label
]
}
expect
(
milestone
.
issue_labels_visible_by_user
(
user
)).
to
match_array
(
expected_labels
)
end
end
end
end
describe
'#sorted_merge_requests'
do
describe
'#sorted_merge_requests'
do
it
'sorts merge requests by label priority'
do
it
'sorts merge requests by label priority'
do
merge_request_1
=
create
(
:labeled_merge_request
,
labels:
[
label_2
],
source_project:
project
,
source_branch:
'branch_1'
,
milestone:
milestone
)
merge_request_1
=
create
(
:labeled_merge_request
,
labels:
[
label_2
],
source_project:
project
,
source_branch:
'branch_1'
,
milestone:
milestone
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment