Merge branch '34079-mirrored-url-visible-for-users-despite-no-access-to-repositories' into 'master'

Only display mirrored URL to users who can manage Repository settings See merge request gitlab-org/gitlab!27166

Merge branch '34079-mirrored-url-visible-for-users-despite-no-access-to-repositories' into 'master'
Only display mirrored URL to users who can manage Repository settings See merge request gitlab-org/gitlab!27166
e68bf142 · Marcia Ramos · 297c66b2 · 163766d1 · e68bf142 · e68bf142
Commit e68bf142 authored Apr 03, 2020 by Marcia Ramos
7 changed files
--- a/changelogs/unreleased/34079-mirrored-url-visible-for-users-despite-no-access-to-repositories.yml
+++ b/changelogs/unreleased/34079-mirrored-url-visible-for-users-despite-no-access-to-repositories.yml
+---
+title: Only display mirrored URL to users who can manage Repository settings
+merge_request: 27166
+author:
+type: changed
--- a/doc/user/project/repository/repository_mirroring.md
+++ b/doc/user/project/repository/repository_mirroring.md
@@ -28,6 +28,10 @@ immediate update, unless:
 - The mirror is already being updated.
 - 5 minutes haven't elapsed since its last update.
+For security reasons, from [GitLab 12.10 onwards](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/27166),
+the URL to the original repository is only displayed to users with
+Maintainer or Owner permissions to the mirrored project.
 ## Use cases
 The following are some possible use cases for repository mirroring:

--- a/ee/app/helpers/ee/mirror_helper.rb
+++ b/ee/app/helpers/ee/mirror_helper.rb
@@ -4,7 +4,7 @@ module EE
  module MirrorHelper
    def render_mirror_failed_message(raw_message:)
      mirror_last_update_at = @project.import_state.last_update_at
-      message = "The repository failed to update #{time_ago_with_tooltip(mirror_last_update_at)}.".html_safe
+      message = "Pull mirroring failed #{time_ago_with_tooltip(mirror_last_update_at)}.".html_safe
      return message if raw_message

--- a/ee/app/views/projects/_home_mirror.html.haml
+++ b/ee/app/views/projects/_home_mirror.html.haml
 - if @project.mirror?
-  - import_url = @project.safe_import_url
  %p
-    Mirrored from #{link_to import_url, import_url}.
+    - if can?(current_user, :admin_project, @project)
-    %br
+      - import_url = @project.safe_import_url
+      Mirrored from #{link_to import_url, import_url}.
+      %br
    = render "shared/mirror_status"
--- a/ee/app/views/shared/_mirror_status.html.haml
+++ b/ee/app/views/shared/_mirror_status.html.haml
@@ -3,7 +3,7 @@
 - case @project.import_state.last_update_status
 - when :success
-  Updated #{time_ago_with_tooltip(last_successful_update_at)}.
+  Pull mirroring updated #{time_ago_with_tooltip(last_successful_update_at)}.
 - when :failed
  = render_mirror_failed_message(raw_message: raw_message)

--- a/ee/spec/features/projects/show_project_spec.rb
+++ b/ee/spec/features/projects/show_project_spec.rb
@@ -3,9 +3,9 @@
 require 'spec_helper'
 describe 'Project show page', :feature do
-  describe 'stat button existence' do
+  let_it_be(:user) { create(:user) }
-    let(:user) { create(:user) }
+  describe 'stat button existence' do
    describe 'populated project' do
      let(:project) { create(:project, :public, :repository) }
@@ -30,4 +30,36 @@ describe 'Project show page', :feature do
      end
    end
  end
+  describe 'pull mirroring information' do
+    let_it_be(:project) do
+      create(:project, :repository, mirror: true, mirror_user: user, import_url: 'http://user:pass@test.com')
+    end
+    context 'for maintainer' do
+      before do
+        project.add_maintainer(user)
+        sign_in(user)
+        visit project_path(project)
+      end
+      it 'displays mirrored from url' do
+        expect(page).to have_content("Mirrored from http://*****:*****@test.com")
+      end
+    end
+    context 'for guest' do
+      before do
+        project.add_guest(user)
+        sign_in(user)
+        visit project_path(project)
+      end
+      it 'does not display mirrored from url' do
+        expect(page).not_to have_content("Mirrored from http://*****:*****@test.com")
+      end
+    end
+  end
 end
--- a/ee/spec/views/shared/_mirror_status.html.haml_spec.rb
+++ b/ee/spec/views/shared/_mirror_status.html.haml_spec.rb
@@ -25,7 +25,7 @@ describe 'shared/_mirror_status.html.haml' do
      render 'shared/mirror_status'
-      expect(rendered).to have_content("Updated")
+      expect(rendered).to have_content("Pull mirroring updated")
    end
  end
@@ -39,13 +39,13 @@ describe 'shared/_mirror_status.html.haml' do
    it 'renders failure message' do
      render 'shared/mirror_status', raw_message: true
-      expect(rendered).to have_content("The repository failed to update")
+      expect(rendered).to have_content("Pull mirroring failed")
    end
    it 'renders failure message with icon' do
      render 'shared/mirror_status'
-      expect(rendered).to have_content('The repository failed to update')
+      expect(rendered).to have_content("Pull mirroring failed")
      expect(rendered).to have_css('i', class: 'fa-warning fa-triangle')
    end