Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
727ec955
Commit
727ec955
authored
Mar 11, 2019
by
Mark Chao
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Hide related branches when user does not have permission
Guest user of a project should not see branches
parent
6a0702fe
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
47 additions
and
4 deletions
+47
-4
app/assets/javascripts/issue.js
app/assets/javascripts/issue.js
+3
-1
app/controllers/projects/issues_controller.rb
app/controllers/projects/issues_controller.rb
+1
-0
app/views/projects/issues/show.html.haml
app/views/projects/issues/show.html.haml
+3
-2
changelogs/unreleased/security-56224.yml
changelogs/unreleased/security-56224.yml
+5
-0
spec/features/issues/user_creates_branch_and_merge_request_spec.rb
...ures/issues/user_creates_branch_and_merge_request_spec.rb
+35
-1
No files found.
app/assets/javascripts/issue.js
View file @
727ec955
...
@@ -16,7 +16,9 @@ export default class Issue {
...
@@ -16,7 +16,9 @@ export default class Issue {
Issue
.
createMrDropdownWrap
=
document
.
querySelector
(
'
.create-mr-dropdown-wrap
'
);
Issue
.
createMrDropdownWrap
=
document
.
querySelector
(
'
.create-mr-dropdown-wrap
'
);
Issue
.
initMergeRequests
();
Issue
.
initMergeRequests
();
if
(
document
.
querySelector
(
'
#related-branches
'
))
{
Issue
.
initRelatedBranches
();
Issue
.
initRelatedBranches
();
}
this
.
closeButtons
=
$
(
'
a.btn-close
'
);
this
.
closeButtons
=
$
(
'
a.btn-close
'
);
this
.
reopenButtons
=
$
(
'
a.btn-reopen
'
);
this
.
reopenButtons
=
$
(
'
a.btn-reopen
'
);
...
...
app/controllers/projects/issues_controller.rb
View file @
727ec955
...
@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController
...
@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController
before_action
:authorize_create_merge_request_from!
,
only:
[
:create_merge_request
]
before_action
:authorize_create_merge_request_from!
,
only:
[
:create_merge_request
]
before_action
:authorize_import_issues!
,
only:
[
:import_csv
]
before_action
:authorize_import_issues!
,
only:
[
:import_csv
]
before_action
:authorize_download_code!
,
only:
[
:related_branches
]
before_action
:set_suggested_issues_feature_flags
,
only:
[
:new
]
before_action
:set_suggested_issues_feature_flags
,
only:
[
:new
]
...
...
app/views/projects/issues/show.html.haml
View file @
727ec955
...
@@ -80,6 +80,7 @@
...
@@ -80,6 +80,7 @@
#merge-requests
{
data:
{
url:
referenced_merge_requests_project_issue_path
(
@project
,
@issue
)
}
}
#merge-requests
{
data:
{
url:
referenced_merge_requests_project_issue_path
(
@project
,
@issue
)
}
}
// This element is filled in using JavaScript.
// This element is filled in using JavaScript.
-
if
can?
(
current_user
,
:download_code
,
@project
)
#related-branches
{
data:
{
url:
related_branches_project_issue_path
(
@project
,
@issue
)
}
}
#related-branches
{
data:
{
url:
related_branches_project_issue_path
(
@project
,
@issue
)
}
}
// This element is filled in using JavaScript.
// This element is filled in using JavaScript.
...
...
changelogs/unreleased/security-56224.yml
0 → 100644
View file @
727ec955
---
title
:
Hide "related branches" when user does not have permission
merge_request
:
author
:
type
:
security
spec/features/issues/user_creates_branch_and_merge_request_spec.rb
View file @
727ec955
require
'rails_helper'
require
'rails_helper'
describe
'User creates branch and merge request on issue page'
,
:js
do
describe
'User creates branch and merge request on issue page'
,
:js
do
let
(
:membership_level
)
{
:developer
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let!
(
:project
)
{
create
(
:project
,
:repository
)
}
let!
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
project
,
title:
'Cherry-Coloured Funk'
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
project
,
title:
'Cherry-Coloured Funk'
)
}
...
@@ -17,7 +18,7 @@ describe 'User creates branch and merge request on issue page', :js do
...
@@ -17,7 +18,7 @@ describe 'User creates branch and merge request on issue page', :js do
context
'when signed in'
do
context
'when signed in'
do
before
do
before
do
project
.
add_
developer
(
user
)
project
.
add_
user
(
user
,
membership_level
)
sign_in
(
user
)
sign_in
(
user
)
end
end
...
@@ -167,6 +168,39 @@ describe 'User creates branch and merge request on issue page', :js do
...
@@ -167,6 +168,39 @@ describe 'User creates branch and merge request on issue page', :js do
expect
(
page
).
not_to
have_css
(
'.create-mr-dropdown-wrap'
)
expect
(
page
).
not_to
have_css
(
'.create-mr-dropdown-wrap'
)
end
end
end
end
context
'when related branch exists'
do
let!
(
:project
)
{
create
(
:project
,
:repository
,
:private
)
}
let
(
:branch_name
)
{
"
#{
issue
.
iid
}
-foo"
}
before
do
project
.
repository
.
create_branch
(
branch_name
,
'master'
)
visit
project_issue_path
(
project
,
issue
)
end
context
'when user is developer'
do
it
'shows related branches'
do
expect
(
page
).
to
have_css
(
'#related-branches'
)
wait_for_requests
expect
(
page
).
to
have_content
(
branch_name
)
end
end
context
'when user is guest'
do
let
(
:membership_level
)
{
:guest
}
it
'does not show related branches'
do
expect
(
page
).
not_to
have_css
(
'#related-branches'
)
wait_for_requests
expect
(
page
).
not_to
have_content
(
branch_name
)
end
end
end
end
end
private
private
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment