Commit dff4e3c7 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-12717-fix-confidential-issue-assignee-visible-to-guests' into 'master'

Display only participants that user has permission to see

See merge request gitlab/gitlabhq!3401
parents 80c28e9f 021353dd
...@@ -20,7 +20,7 @@ module MilestoneActions ...@@ -20,7 +20,7 @@ module MilestoneActions
format.html { redirect_to milestone_redirect_path } format.html { redirect_to milestone_redirect_path }
format.json do format.json do
render json: tabs_json("shared/milestones/_participants_tab", { render json: tabs_json("shared/milestones/_participants_tab", {
users: @milestone.participants # rubocop:disable Gitlab/ModuleWithInstanceVariables users: @milestone.issue_participants_visible_by_user(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables
}) })
end end
end end
......
---
title: Display only participants that user has permission to see on milestone page
merge_request:
author:
type: security
...@@ -244,4 +244,45 @@ describe Projects::MilestonesController do ...@@ -244,4 +244,45 @@ describe Projects::MilestonesController do
end end
end end
end end
context '#participants' do
render_views
context "when guest user" do
let(:issue_assignee) { create(:user) }
let(:guest_user) { create(:user) }
before do
project.add_guest(guest_user)
sign_in(guest_user)
issue.update(assignee_ids: issue_assignee.id)
end
context "when issue is not confidential" do
it 'shows milestone participants' do
params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json }
get :participants, params: params
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).to include(issue_assignee.name)
end
end
context "when issue is confidential" do
before do
issue.update(confidential: true)
end
it 'shows no milestone participants' do
params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json }
get :participants, params: params
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).not_to include(issue_assignee.name)
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment