Commit b8a393f4 authored by Sam Bigelow's avatar Sam Bigelow

Hide github access token in repository settings

Prevent fellow maintainers from seeing a github access token in the
repository settings
parent 8850e61c
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
- import_state = @project.import_state - import_state = @project.import_state
%tr %tr
%td= @project.username_only_import_url %td.mirror-url= @project.safe_import_url
%td= _('Pull') %td= _('Pull')
%td= import_state.last_update_at.present? ? time_ago_with_tooltip(import_state.last_update_at) : _('Never') %td= import_state.last_update_at.present? ? time_ago_with_tooltip(import_state.last_update_at) : _('Never')
%td %td
......
---
title: Hide personal access tokens from other maintainers
merge_request:
author:
type: security
...@@ -29,9 +29,11 @@ describe 'Project settings > [EE] repository' do ...@@ -29,9 +29,11 @@ describe 'Project settings > [EE] repository' do
end end
context 'licensed' do context 'licensed' do
it 'shows pull mirror settings', :js do before do
stub_licensed_features(repository_mirrors: true) stub_licensed_features(repository_mirrors: true)
end
it 'shows pull mirror settings', :js do
visit project_settings_repository_path(project) visit project_settings_repository_path(project)
page.within('.project-mirror-settings') do page.within('.project-mirror-settings') do
...@@ -43,5 +45,26 @@ describe 'Project settings > [EE] repository' do ...@@ -43,5 +45,26 @@ describe 'Project settings > [EE] repository' do
expect(page).to have_selector('#project_mirror_trigger_builds') expect(page).to have_selector('#project_mirror_trigger_builds')
end end
end end
context 'mirrored external repo', :js do
let(:personal_access_token) { '461171575b95eeb61fba5face8ab838853d0121f' }
let(:external_project) do
create(:project_empty_repo,
:mirror,
import_url: "https://#{personal_access_token}@github.com/testngalog2/newrepository.git")
end
before do
external_project.add_maintainer(user)
visit project_settings_repository_path(external_project)
end
it 'does not show personal access token' do
mirror_url = find('.mirror-url').text
expect(mirror_url).not_to include(personal_access_token)
expect(mirror_url).to include('https://*****@github.com/')
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment