Merge branch 'security-2799-emails' into 'master'

[master] Remove link after issue move when no permissions See merge request gitlab/gitlabhq!2921

Merge branch 'security-2799-emails' into 'master'
[master] Remove link after issue move when no permissions See merge request gitlab/gitlabhq!2921
219075fc · Yorick Peterse · 6e1f0852 · 38f3c2e1 · 219075fc · 219075fc
Commit 219075fc authored Mar 04, 2019 by Yorick Peterse
5 changed files
--- a/app/mailers/emails/issues.rb
+++ b/app/mailers/emails/issues.rb
@@ -74,6 +74,7 @@ module Emails
      @new_issue = new_issue
      @new_project = new_issue.project
+      @can_access_project = recipient.can?(:read_project, @new_project)
      mail_answer_thread(issue, issue_thread_options(updated_by_user.id, recipient.id, reason))
    end

--- a/app/views/notify/issue_moved_email.html.haml
+++ b/app/views/notify/issue_moved_email.html.haml
 %p
  Issue was moved to another project.
-%p
+- if @can_access_project
-  New issue:
+  %p
-  = link_to project_issue_url(@new_project, @new_issue) do
+    New issue:
-    = @new_issue.title
+    = link_to project_issue_url(@new_project, @new_issue) do
+      = @new_issue.title
+- else
+  You don't have access to the project.
--- a/app/views/notify/issue_moved_email.text.erb
+++ b/app/views/notify/issue_moved_email.text.erb
 Issue was moved to another project.
+<% if @can_access_project %>
 New issue location:
 <%= project_issue_url(@new_project, @new_issue) %>
+<% else %>
+You don't have access to the project.
+<% end %>
--- a/changelogs/unreleased/security-2799-emails.yml
+++ b/changelogs/unreleased/security-2799-emails.yml
+---
+title: Don't show new issue link after move when a user does not have permissions
+merge_request:
+author:
+type: security
--- a/spec/mailers/notify_spec.rb
+++ b/spec/mailers/notify_spec.rb
@@ -194,23 +194,53 @@ describe Notify do
        let(:new_issue) { create(:issue) }
        subject { described_class.issue_moved_email(recipient, issue, new_issue, current_user) }
-        it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do
+        context 'when a user has permissions to access the new issue' do
-          let(:model) { issue }
+          before do
-        end
+            new_issue.project.add_developer(recipient)
-        it_behaves_like 'it should show Gmail Actions View Issue link'
+          end
-        it_behaves_like 'an unsubscribeable thread'
+          it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do
+            let(:model) { issue }
+          end
+          it_behaves_like 'it should show Gmail Actions View Issue link'
+          it_behaves_like 'an unsubscribeable thread'
+          it 'contains description about action taken' do
+            is_expected.to have_body_text 'Issue was moved to another project'
+          end
+          it 'has the correct subject and body' do
+            new_issue_url = project_issue_path(new_issue.project, new_issue)
-        it 'contains description about action taken' do
+            aggregate_failures do
-          is_expected.to have_body_text 'Issue was moved to another project'
+              is_expected.to have_referable_subject(issue, reply: true)
+              is_expected.to have_body_text(new_issue_url)
+              is_expected.to have_body_text(project_issue_path(project, issue))
+            end
+          end
+          it 'contains the issue title' do
+            is_expected.to have_body_text new_issue.title
+          end
        end
-        it 'has the correct subject and body' do
+        context 'when a user does not permissions to access the new issue' do
-          new_issue_url = project_issue_path(new_issue.project, new_issue)
+          it 'has the correct subject and body' do
+            new_issue_url = project_issue_path(new_issue.project, new_issue)
-          aggregate_failures do
+            aggregate_failures do
-            is_expected.to have_referable_subject(issue, reply: true)
+              is_expected.to have_referable_subject(issue, reply: true)
-            is_expected.to have_body_text(new_issue_url)
+              is_expected.not_to have_body_text(new_issue_url)
-            is_expected.to have_body_text(project_issue_path(project, issue))
+              is_expected.to have_body_text(project_issue_path(project, issue))
+            end
+          end
+          it 'does not contain the issue title' do
+            is_expected.not_to have_body_text new_issue.title
+          end
+          it 'contains information about missing permissions' do
+            is_expected.to have_body_text "You don't have access to the project."
          end
        end
      end