Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
0ff446c5
Commit
0ff446c5
authored
Mar 15, 2022
by
Gary Holtz
Committed by
Andrew Fontaine
Mar 28, 2022
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Hide features a user shouldn't be able to see in a list of forks
Changelog: security
parent
1bfeb700
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
105 additions
and
2 deletions
+105
-2
app/helpers/projects_helper.rb
app/helpers/projects_helper.rb
+12
-0
app/views/shared/projects/_list.html.haml
app/views/shared/projects/_list.html.haml
+2
-2
spec/features/projects/forks/fork_list_spec.rb
spec/features/projects/forks/fork_list_spec.rb
+22
-0
spec/helpers/projects_helper_spec.rb
spec/helpers/projects_helper_spec.rb
+69
-0
No files found.
app/helpers/projects_helper.rb
View file @
0ff446c5
...
...
@@ -420,6 +420,18 @@ module ProjectsHelper
project
.
path_with_namespace
end
def
able_to_see_issues?
(
project
,
user
)
project
.
issues_enabled?
&&
can?
(
user
,
:read_issue
,
project
)
end
def
able_to_see_merge_requests?
(
project
,
user
)
project
.
merge_requests_enabled?
&&
can?
(
user
,
:read_merge_request
,
project
)
end
def
able_to_see_last_commit?
(
show_last_commit_as_description
,
project
,
user
)
show_last_commit_as_description
&&
can?
(
user
,
:read_commit_status
,
project
)
end
def
fork_button_disabled_tooltip
(
project
)
return
unless
current_user
...
...
app/views/shared/projects/_list.html.haml
View file @
0ff446c5
...
...
@@ -37,8 +37,8 @@
-
css_class
=
(
i
>=
projects_limit
)
||
project
.
pending_delete?
?
'hide'
:
nil
=
render
"shared/projects/project"
,
project:
project
,
skip_namespace:
skip_namespace
,
avatar:
avatar
,
stars:
stars
,
css_class:
css_class
,
use_creator_avatar:
use_creator_avatar
,
forks:
project
.
forking_enabled?
,
show_last_commit_as_description:
show_last_commit_as_description
,
user:
user
,
merge_requests:
project
.
merge_requests_enabled?
,
issues:
project
.
issues_enabled?
,
forks:
project
.
forking_enabled?
,
show_last_commit_as_description:
able_to_see_last_commit?
(
show_last_commit_as_description
,
project
,
user
)
,
user:
user
,
merge_requests:
able_to_see_merge_requests?
(
project
,
user
),
issues:
able_to_see_issues?
(
project
,
user
)
,
pipeline_status:
pipeline_status
,
compact_mode:
compact_mode
=
paginate_collection
(
projects
,
remote:
remote
)
unless
skip_pagination
-
else
...
...
spec/features/projects/forks/fork_list_spec.rb
View file @
0ff446c5
...
...
@@ -24,6 +24,28 @@ RSpec.describe 'listing forks of a project' do
end
end
context
"when a fork is set to allow only project members to access features"
do
let
(
:outside_user
)
{
create
(
:user
)
}
before
do
sign_in
(
outside_user
)
allow_any_instance_of
(
ProjectsHelper
).
to
receive
(
:able_to_see_last_commit?
).
and_return
(
false
)
allow_any_instance_of
(
ProjectsHelper
).
to
receive
(
:able_to_see_merge_requests?
).
and_return
(
false
)
allow_any_instance_of
(
ProjectsHelper
).
to
receive
(
:able_to_see_issues?
).
and_return
(
false
)
end
it
'will not show that information in the original forks list'
do
visit
project_forks_path
(
source
)
page
.
within
(
'li.project-row'
)
do
expect
(
page
).
not_to
have_css
(
'a.commit-row-message'
)
expect
(
page
).
not_to
have_css
(
'a.issues'
)
expect
(
page
).
not_to
have_css
(
'a.merge-requests'
)
end
end
end
it
'does not show the commit message when an external authorization service is used'
do
enable_external_authorization_service_check
...
...
spec/helpers/projects_helper_spec.rb
View file @
0ff446c5
...
...
@@ -1000,6 +1000,75 @@ RSpec.describe ProjectsHelper do
end
end
context
'fork security helpers'
do
using
RSpec
::
Parameterized
::
TableSyntax
describe
"#able_to_see_merge_requests?"
do
subject
{
helper
.
able_to_see_merge_requests?
(
project
,
user
)
}
where
(
:can_read_merge_request
,
:merge_requests_enabled
,
:expected
)
do
false
|
false
|
false
true
|
false
|
false
false
|
true
|
false
true
|
true
|
true
end
with_them
do
before
do
allow
(
project
).
to
receive
(
:merge_requests_enabled?
).
and_return
(
merge_requests_enabled
)
allow
(
helper
).
to
receive
(
:can?
).
with
(
user
,
:read_merge_request
,
project
).
and_return
(
can_read_merge_request
)
end
it
'returns the correct response'
do
expect
(
subject
).
to
eq
(
expected
)
end
end
end
describe
"#able_to_see_issues?"
do
subject
{
helper
.
able_to_see_issues?
(
project
,
user
)
}
where
(
:can_read_issues
,
:issues_enabled
,
:expected
)
do
false
|
false
|
false
true
|
false
|
false
false
|
true
|
false
true
|
true
|
true
end
with_them
do
before
do
allow
(
project
).
to
receive
(
:issues_enabled?
).
and_return
(
issues_enabled
)
allow
(
helper
).
to
receive
(
:can?
).
with
(
user
,
:read_issue
,
project
).
and_return
(
can_read_issues
)
end
it
'returns the correct response'
do
expect
(
subject
).
to
eq
(
expected
)
end
end
end
describe
"#able_to_see_last_commit?"
do
subject
{
helper
.
able_to_see_last_commit?
(
show_last_commit_as_description
,
project
,
user
)
}
where
(
:can_read_last_commit
,
:show_last_commit_as_description
,
:expected
)
do
false
|
false
|
false
true
|
false
|
false
false
|
true
|
false
true
|
true
|
true
end
with_them
do
before
do
allow
(
helper
).
to
receive
(
:can?
).
with
(
user
,
:read_commit_status
,
project
).
and_return
(
can_read_last_commit
)
end
it
'returns the correct response'
do
expect
(
subject
).
to
eq
(
expected
)
end
end
end
end
describe
'#fork_button_disabled_tooltip'
do
using
RSpec
::
Parameterized
::
TableSyntax
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment