Restrict access to references for confidential issues

405f5f23 · Douglas Barbosa Alexandre · 52f183ba · 405f5f23 · 405f5f23
Commit 405f5f23 authored Mar 02, 2016 by Douglas Barbosa Alexandre
Showing with 51 additions and 12 deletions

lib/banzai/filter/issue_reference_filter.rb lib/banzai/filter/issue_reference_filter.rb +17 -3

spec/lib/banzai/filter/redactor_filter_spec.rb spec/lib/banzai/filter/redactor_filter_spec.rb +34 -9

No files found.
--- a/lib/banzai/filter/issue_reference_filter.rb
+++ b/lib/banzai/filter/issue_reference_filter.rb
@@ -10,14 +10,28 @@ module Banzai
      end

      def self.user_can_see_reference?(user, node, context)
-        if node.has_attribute?('data-issue')
-          issue = Issue.find(node.attr('data-issue')) rescue nil
-          issue && !issue.confidential?
+        project = Project.find(node.attr('data-project')) rescue nil
+        return unless project
+
+        id = node.attr('data-issue')
+        issue = find_object(project, id)
+        return unless issue
+
+        if issue.is_a?(Issue) && issue.confidential?
+          Ability.abilities.allowed?(user, :read_issue, issue)
        else
          super
        end
      end

+      def self.find_object(project, id)
+        if project.default_issues_tracker?
+          project.issues.find_by(id: id)
+        else
+          ExternalIssue.new(id, project)
+        end
+      end
+
      def find_object(project, id)
        project.get_issue(id)
      end

--- a/spec/lib/banzai/filter/redactor_filter_spec.rb
+++ b/spec/lib/banzai/filter/redactor_filter_spec.rb
@@ -45,23 +45,48 @@ describe Banzai::Filter::RedactorFilter, lib: true do
  end

  context 'with data-issue' do
-    it 'removes references for confidential issues' do
-      user = create(:user)
-      project = create(:empty_project)
-      issue = create(:issue, :confidential, project: project)
+    context 'for confidential issues' do
+      it 'removes references for non project members' do
+        non_member = create(:user)
+        project = create(:empty_project, :public)
+        issue = create(:issue, :confidential, project: project)

-      link = reference_link(issue: issue.id, reference_filter: 'IssueReferenceFilter')
-      doc = filter(link, current_user: user)
+        link = reference_link(project: project.id, issue: issue.id, reference_filter: 'IssueReferenceFilter')
+        doc = filter(link, current_user: non_member)

-      expect(doc.css('a').length).to eq 0
+        expect(doc.css('a').length).to eq 0
+      end
+
+      it 'allows references for author' do
+        author = create(:user)
+        project = create(:empty_project, :public)
+        issue = create(:issue, :confidential, project: project, author: author)
+
+        link = reference_link(project: project.id, issue: issue.id, reference_filter: 'IssueReferenceFilter')
+        doc = filter(link, current_user: author)
+
+        expect(doc.css('a').length).to eq 1
+      end
+
+      it 'allows references for project members' do
+        member = create(:user)
+        project = create(:empty_project, :public)
+        project.team << [member, :developer]
+        issue = create(:issue, :confidential, project: project)
+
+        link = reference_link(project: project.id, issue: issue.id, reference_filter: 'IssueReferenceFilter')
+        doc = filter(link, current_user: member)
+
+        expect(doc.css('a').length).to eq 1
+      end
    end

    it 'allows references for non confidential issues' do
      user = create(:user)
-      project = create(:empty_project)
+      project = create(:empty_project, :public)
      issue = create(:issue, project: project)

-      link = reference_link(issue: issue.id, reference_filter: 'IssueReferenceFilter')
+      link = reference_link(project: project.id, issue: issue.id, reference_filter: 'IssueReferenceFilter')
      doc = filter(link, current_user: user)

      expect(doc.css('a').length).to eq 1