Fix confidential issue label disclosure on milestone view

Add changelog entry Method should be public Use milestonish method Use render data to filter labels Add specs for label visibility on milestone
author: Patrick Derichs <pderichs@gitlab.com> 2019-05-14 13:16:30 +0200
committer: Patrick Derichs <pderichs@gitlab.com> 2019-05-14 13:16:30 +0200
commit: b6424b378d3fd79a78c597f1c3d630ab2245f460 (patch)
tree: 4ea3d51c0066774efc4050facbcd46eed4b4295a /spec/controllers/projects/milestones_controller_spec.rb
parent: b02fca968445e0828fc76bec689ab3d4f3755e07 (diff)
download: gitlab-ce-b6424b378d3fd79a78c597f1c3d630ab2245f460.tar.gz
1 files changed, 34 insertions, 0 deletions
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index f8470a94f98..767cee7d54a 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
       end
     end
 
+    describe '#labels' do
+      render_views
+
+      context 'as json' do
+        let!(:guest) { create(:user, username: 'guest1') }
+        let!(:group) { create(:group, :public) }
+        let!(:project) { create(:project, :public, group: group) }
+        let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
+        let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
+
+        it 'does not render labels of private issues if user has no access' do
+          sign_in(guest)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).not_to include(label.title)
+        end
+
+        it 'does render labels of private issues if user has access' do
+          sign_in(user)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).to include(label.title)
+        end
+      end
+    end
+
     context 'promotion succeeds' do
       before do
         group.add_developer(user)
author	Patrick Derichs <pderichs@gitlab.com>	2019-05-14 13:16:30 +0200
committer	Patrick Derichs <pderichs@gitlab.com>	2019-05-14 13:16:30 +0200
commit	b6424b378d3fd79a78c597f1c3d630ab2245f460 (patch)
tree	4ea3d51c0066774efc4050facbcd46eed4b4295a /spec/controllers/projects/milestones_controller_spec.rb
parent	b02fca968445e0828fc76bec689ab3d4f3755e07 (diff)
download	gitlab-ce-b6424b378d3fd79a78c597f1c3d630ab2245f460.tar.gz