Commit e68bf142 authored by Marcia Ramos's avatar Marcia Ramos

Merge branch '34079-mirrored-url-visible-for-users-despite-no-access-to-repositories' into 'master'

Only display mirrored URL to users who can manage Repository settings

See merge request gitlab-org/gitlab!27166
parents 297c66b2 163766d1
---
title: Only display mirrored URL to users who can manage Repository settings
merge_request: 27166
author:
type: changed
......@@ -28,6 +28,10 @@ immediate update, unless:
- The mirror is already being updated.
- 5 minutes haven't elapsed since its last update.
For security reasons, from [GitLab 12.10 onwards](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/27166),
the URL to the original repository is only displayed to users with
Maintainer or Owner permissions to the mirrored project.
## Use cases
The following are some possible use cases for repository mirroring:
......
......@@ -4,7 +4,7 @@ module EE
module MirrorHelper
def render_mirror_failed_message(raw_message:)
mirror_last_update_at = @project.import_state.last_update_at
message = "The repository failed to update #{time_ago_with_tooltip(mirror_last_update_at)}.".html_safe
message = "Pull mirroring failed #{time_ago_with_tooltip(mirror_last_update_at)}.".html_safe
return message if raw_message
......
- if @project.mirror?
- import_url = @project.safe_import_url
%p
- if can?(current_user, :admin_project, @project)
- import_url = @project.safe_import_url
Mirrored from #{link_to import_url, import_url}.
%br
= render "shared/mirror_status"
......@@ -3,7 +3,7 @@
- case @project.import_state.last_update_status
- when :success
Updated #{time_ago_with_tooltip(last_successful_update_at)}.
Pull mirroring updated #{time_ago_with_tooltip(last_successful_update_at)}.
- when :failed
= render_mirror_failed_message(raw_message: raw_message)
......
......@@ -3,9 +3,9 @@
require 'spec_helper'
describe 'Project show page', :feature do
describe 'stat button existence' do
let(:user) { create(:user) }
let_it_be(:user) { create(:user) }
describe 'stat button existence' do
describe 'populated project' do
let(:project) { create(:project, :public, :repository) }
......@@ -30,4 +30,36 @@ describe 'Project show page', :feature do
end
end
end
describe 'pull mirroring information' do
let_it_be(:project) do
create(:project, :repository, mirror: true, mirror_user: user, import_url: 'http://user:pass@test.com')
end
context 'for maintainer' do
before do
project.add_maintainer(user)
sign_in(user)
visit project_path(project)
end
it 'displays mirrored from url' do
expect(page).to have_content("Mirrored from http://*****:*****@test.com")
end
end
context 'for guest' do
before do
project.add_guest(user)
sign_in(user)
visit project_path(project)
end
it 'does not display mirrored from url' do
expect(page).not_to have_content("Mirrored from http://*****:*****@test.com")
end
end
end
end
......@@ -25,7 +25,7 @@ describe 'shared/_mirror_status.html.haml' do
render 'shared/mirror_status'
expect(rendered).to have_content("Updated")
expect(rendered).to have_content("Pull mirroring updated")
end
end
......@@ -39,13 +39,13 @@ describe 'shared/_mirror_status.html.haml' do
it 'renders failure message' do
render 'shared/mirror_status', raw_message: true
expect(rendered).to have_content("The repository failed to update")
expect(rendered).to have_content("Pull mirroring failed")
end
it 'renders failure message with icon' do
render 'shared/mirror_status'
expect(rendered).to have_content('The repository failed to update')
expect(rendered).to have_content("Pull mirroring failed")
expect(rendered).to have_css('i', class: 'fa-warning fa-triangle')
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment