Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
db0d3fc3
Commit
db0d3fc3
authored
Jun 27, 2016
by
Sean McGivern
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Ensure logged-out users can't see private refs
parent
293cf090
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
42 additions
and
2 deletions
+42
-2
CHANGELOG
CHANGELOG
+3
-0
app/models/concerns/mentionable.rb
app/models/concerns/mentionable.rb
+1
-1
app/services/todo_service.rb
app/services/todo_service.rb
+1
-1
spec/models/concerns/mentionable_spec.rb
spec/models/concerns/mentionable_spec.rb
+37
-0
No files found.
CHANGELOG
View file @
db0d3fc3
...
...
@@ -23,6 +23,9 @@ v 8.10.0 (unreleased)
- Allow [ci skip] to be in any case and allow [skip ci]. !4785 (simon_w)
- Add basic system information like memory and disk usage to the admin panel
v 8.9.4 (unreleased)
- Ensure references to private repos aren't shown to logged-out users
v 8.9.3
- Fix encrypted data backwards compatibility after upgrading attr_encrypted gem. !4963
- Fix rendering of commit notes. !4953
...
...
app/models/concerns/mentionable.rb
View file @
db0d3fc3
...
...
@@ -45,7 +45,7 @@ module Mentionable
def
all_references
(
current_user
=
nil
,
text
=
nil
,
extractor:
nil
)
extractor
||=
Gitlab
::
ReferenceExtractor
.
new
(
project
,
current_user
||
author
)
new
(
project
,
current_user
)
if
text
extractor
.
analyze
(
text
,
author:
author
)
...
...
app/services/todo_service.rb
View file @
db0d3fc3
...
...
@@ -237,7 +237,7 @@ class TodoService
end
def
filter_mentioned_users
(
project
,
target
,
author
)
mentioned_users
=
target
.
mentioned_users
mentioned_users
=
target
.
mentioned_users
(
author
)
mentioned_users
=
reject_users_without_access
(
mentioned_users
,
project
,
target
)
mentioned_users
.
delete
(
author
)
mentioned_users
.
uniq
...
...
spec/models/concerns/mentionable_spec.rb
View file @
db0d3fc3
...
...
@@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
it
{
is_expected
.
not_to
include
(
user2
)
}
end
describe
'#referenced_mentionables'
do
context
'with an issue on a private project'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
let
(
:public_issue
)
{
create
(
:issue
,
project:
project
)
}
let
(
:private_project
)
{
create
(
:empty_project
,
:private
)
}
let
(
:private_issue
)
{
create
(
:issue
,
project:
private_project
)
}
let
(
:user
)
{
create
(
:user
)
}
def
referenced_issues
(
current_user
)
text
=
"
#{
private_issue
.
to_reference
(
project
)
}
and
#{
public_issue
.
to_reference
}
"
issue
.
referenced_mentionables
(
current_user
,
text
)
end
context
'when the current user can see the issue'
do
before
{
private_project
.
team
<<
[
user
,
Gitlab
::
Access
::
DEVELOPER
]
}
it
'includes the reference'
do
expect
(
referenced_issues
(
user
)).
to
contain_exactly
(
private_issue
,
public_issue
)
end
end
context
'when the current user cannot see the issue'
do
it
'does not include the reference'
do
expect
(
referenced_issues
(
user
)).
to
contain_exactly
(
public_issue
)
end
end
context
'when there is no current user'
do
it
'does not include the reference'
do
expect
(
referenced_issues
(
nil
)).
to
contain_exactly
(
public_issue
)
end
end
end
end
describe
'#create_cross_references!'
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:author
)
{
double
(
'author'
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment