ES: Project members with guest role can't access confidential issues

8b931410 · Douglas Barbosa Alexandre · 26909fe4 · 8b931410 · 8b931410 · 8b931410
Commit 8b931410 authored Jun 16, 2016 by Douglas Barbosa Alexandre
4 changed files
--- a/app/models/concerns/elastic/issues_search.rb
+++ b/app/models/concerns/elastic/issues_search.rb
@@ -69,7 +69,7 @@ module Elastic
                                   should: [
                                     { term: { author_id: current_user.id } },
                                     { term: { assignee_id: current_user.id } },
-                                     { terms: { project_id: current_user.authorized_projects.pluck(:id) } }
+                                     { terms: { project_id: current_user.authorized_projects(Gitlab::Access::REPORTER).pluck(:id) } }
                                   ]
                                 }
                               }

--- a/app/models/concerns/elastic/notes_search.rb
+++ b/app/models/concerns/elastic/notes_search.rb
@@ -92,7 +92,7 @@ module Elastic
                    should: [
                      { term: { "issue.author_id" => current_user.id } },
                      { term: { "issue.assignee_id" => current_user.id } },
-                      { terms: { "issue.project_id" => current_user.authorized_projects.pluck(:id) } }
+                      { terms: { "project_id" => current_user.authorized_projects(Gitlab::Access::REPORTER).pluck(:id) } }
                    ]
                  }
                }

--- a/spec/lib/gitlab/elastic/project_search_results_spec.rb
+++ b/spec/lib/gitlab/elastic/project_search_results_spec.rb
@@ -122,6 +122,18 @@ describe Gitlab::Elastic::ProjectSearchResults, lib: true do
      expect(results.issues_count).to eq 3
    end

+    it 'should not list project confidential issues for project members with guest role' do
+      project.team << [member, :guest]
+
+      results = described_class.new(member, project.id, query)
+      issues = results.objects('issues')
+
+      expect(issues).to include issue
+      expect(issues).not_to include security_issue_1
+      expect(issues).not_to include security_issue_2
+      expect(results.issues_count).to eq 1
+    end
+
    it 'should list all project issues for admin' do
      results = described_class.new(admin, project.id, query)
      issues = results.objects('issues')

--- a/spec/models/concerns/elastic/note_spec.rb
+++ b/spec/models/concerns/elastic/note_spec.rb
@@ -78,5 +78,39 @@ describe Note, elastic: true do

      expect(Note.elastic_search('term', options: options).total_count).to eq(1)
    end
+
+    it "return notes with matching content for project members" do
+      user = create :user
+      issue = create :issue, :confidential, author: user
+
+      member = create(:user)
+      issue.project.team << [member, :developer]
+
+      create :note, note: 'bla-bla term', project: issue.project, noteable: issue
+      create :note, project: issue.project, noteable: issue
+
+      Note.__elasticsearch__.refresh_index!
+
+      options = { project_ids: [issue.project.id], current_user: member }
+
+      expect(Note.elastic_search('term', options: options).total_count).to eq(1)
+    end
+
+    it "does not return notes with matching content for project members with guest role" do
+      user = create :user
+      issue = create :issue, :confidential, author: user
+
+      member = create(:user)
+      issue.project.team << [member, :guest]
+
+      create :note, note: 'bla-bla term', project: issue.project, noteable: issue
+      create :note, project: issue.project, noteable: issue
+
+      Note.__elasticsearch__.refresh_index!
+
+      options = { project_ids: [issue.project.id], current_user: member }
+
+      expect(Note.elastic_search('term', options: options).total_count).to eq(0)
+    end
  end
 end