Merge branch 'security-29983-private-project-name-exposed-security-ee' into 'master'

Filter out project notifications based on user access See merge request gitlab-org/security/gitlab!18

Merge branch 'security-29983-private-project-name-exposed-security-ee' into 'master'
Filter out project notifications based on user access See merge request gitlab-org/security/gitlab!18
21dabece · GitLab Release Tools Bot · b06a3464 · 03cbdf65 · 21dabece · 21dabece
Commit 21dabece authored Dec 31, 2019 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/profiles/notifications_controller.rb
+++ b/app/controllers/profiles/notifications_controller.rb
@@ -11,6 +11,7 @@ class Profiles::NotificationsController < Profiles::ApplicationController
      exclude_group_ids: @group_notifications.select(:source_id)
    ).execute.map { |group| current_user.notification_settings_for(group, inherit: true) }
    @project_notifications = current_user.notification_settings.for_projects.order(:id)
+                             .select { |notification| current_user.can?(:read_project, notification.source) }
    @global_notification_setting = current_user.global_notification_setting
  end
  # rubocop: enable CodeReuse/ActiveRecord

--- a/changelogs/unreleased/security-29983-private-project-name-exposed.yml
+++ b/changelogs/unreleased/security-29983-private-project-name-exposed.yml
+---
+title: Filter out notification settings for projects that a user does not have at least read access
+merge_request:
+author:
+type: security
--- a/spec/controllers/profiles/notifications_controller_spec.rb
+++ b/spec/controllers/profiles/notifications_controller_spec.rb
@@ -52,6 +52,35 @@ describe Profiles::NotificationsController do
        end.to exceed_query_limit(control)
      end
    end
+
+    context 'with project notifications' do
+      let!(:notification_setting) { create(:notification_setting, source: project, user: user, level: :watch) }
+
+      before do
+        sign_in(user)
+        get :show
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public) }
+
+        it 'shows notification setting for project' do
+          expect(assigns(:project_notifications).map(&:source_id)).to include(project.id)
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :private) }
+
+        it 'shows notification setting for project' do
+          # notification settings for given project were created before project was set to private
+          expect(user.notification_settings.for_projects.map(&:source_id)).to include(project.id)
+
+          # check that notification settings for project where user does not have access are filtered
+          expect(assigns(:project_notifications)).to be_empty
+        end
+      end
+    end
  end

  describe 'POST update' do