Commit 3e4c2b04 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-56224' into 'master'

Fix related branches visible in issues for guests

See merge request gitlab/gitlabhq!2996
parents b122be5e 727ec955
...@@ -16,7 +16,9 @@ export default class Issue { ...@@ -16,7 +16,9 @@ export default class Issue {
Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap'); Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
Issue.initMergeRequests(); Issue.initMergeRequests();
if (document.querySelector('#related-branches')) {
Issue.initRelatedBranches(); Issue.initRelatedBranches();
}
this.closeButtons = $('a.btn-close'); this.closeButtons = $('a.btn-close');
this.reopenButtons = $('a.btn-reopen'); this.reopenButtons = $('a.btn-reopen');
......
...@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController ...@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController
before_action :authorize_create_merge_request_from!, only: [:create_merge_request] before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
before_action :authorize_import_issues!, only: [:import_csv] before_action :authorize_import_issues!, only: [:import_csv]
before_action :authorize_download_code!, only: [:related_branches]
before_action :set_suggested_issues_feature_flags, only: [:new] before_action :set_suggested_issues_feature_flags, only: [:new]
......
...@@ -80,6 +80,7 @@ ...@@ -80,6 +80,7 @@
#merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } } #merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript. // This element is filled in using JavaScript.
- if can?(current_user, :download_code, @project)
#related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } } #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript. // This element is filled in using JavaScript.
......
---
title: Hide "related branches" when user does not have permission
merge_request:
author:
type: security
require 'rails_helper' require 'rails_helper'
describe 'User creates branch and merge request on issue page', :js do describe 'User creates branch and merge request on issue page', :js do
let(:membership_level) { :developer }
let(:user) { create(:user) } let(:user) { create(:user) }
let!(:project) { create(:project, :repository) } let!(:project) { create(:project, :repository) }
let(:issue) { create(:issue, project: project, title: 'Cherry-Coloured Funk') } let(:issue) { create(:issue, project: project, title: 'Cherry-Coloured Funk') }
...@@ -17,7 +18,7 @@ describe 'User creates branch and merge request on issue page', :js do ...@@ -17,7 +18,7 @@ describe 'User creates branch and merge request on issue page', :js do
context 'when signed in' do context 'when signed in' do
before do before do
project.add_developer(user) project.add_user(user, membership_level)
sign_in(user) sign_in(user)
end end
...@@ -167,6 +168,39 @@ describe 'User creates branch and merge request on issue page', :js do ...@@ -167,6 +168,39 @@ describe 'User creates branch and merge request on issue page', :js do
expect(page).not_to have_css('.create-mr-dropdown-wrap') expect(page).not_to have_css('.create-mr-dropdown-wrap')
end end
end end
context 'when related branch exists' do
let!(:project) { create(:project, :repository, :private) }
let(:branch_name) { "#{issue.iid}-foo" }
before do
project.repository.create_branch(branch_name, 'master')
visit project_issue_path(project, issue)
end
context 'when user is developer' do
it 'shows related branches' do
expect(page).to have_css('#related-branches')
wait_for_requests
expect(page).to have_content(branch_name)
end
end
context 'when user is guest' do
let(:membership_level) { :guest }
it 'does not show related branches' do
expect(page).not_to have_css('#related-branches')
wait_for_requests
expect(page).not_to have_content(branch_name)
end
end
end
end end
private private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment