Merge branch 'master' into issue_12658

2 files changed, 217 insertions, 41 deletions

diff --git a/spec/controllers/projects/branches_controller_spec.rb b/spec/controllers/projects/branches_controller_spec.rb
index 8e06d4bdc77..98ae424ed7c 100644
--- a/spec/controllers/projects/branches_controller_spec.rb
+++ b/spec/controllers/projects/branches_controller_spec.rb
@@ -17,49 +17,79 @@ describe Projects::BranchesController do
   describe "POST create" do
     render_views
 
-    before do
-      post :create,
-        namespace_id: project.namespace.to_param,
-        project_id: project.to_param,
-        branch_name: branch,
-        ref: ref
-    end
+    context "on creation of a new branch" do
+      before do
+        post :create,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          branch_name: branch,
+          ref: ref
+      end
 
-    context "valid branch name, valid source" do
-      let(:branch) { "merge_branch" }
-      let(:ref) { "master" }
-      it 'redirects' do
-        expect(subject).
-          to redirect_to("/#{project.path_with_namespace}/tree/merge_branch")
+      context "valid branch name, valid source" do
+        let(:branch) { "merge_branch" }
+        let(:ref) { "master" }
+        it 'redirects' do
+          expect(subject).
+            to redirect_to("/#{project.path_with_namespace}/tree/merge_branch")
+        end
+      end
+
+      context "invalid branch name, valid ref" do
+        let(:branch) { "<script>alert('merge');</script>" }
+        let(:ref) { "master" }
+        it 'redirects' do
+          expect(subject).
+            to redirect_to("/#{project.path_with_namespace}/tree/alert('merge');")
+        end
+      end
+
+      context "valid branch name, invalid ref" do
+        let(:branch) { "merge_branch" }
+        let(:ref) { "<script>alert('ref');</script>" }
+        it { is_expected.to render_template('new') }
+      end
+
+      context "invalid branch name, invalid ref" do
+        let(:branch) { "<script>alert('merge');</script>" }
+        let(:ref) { "<script>alert('ref');</script>" }
+        it { is_expected.to render_template('new') }
+      end
+
+      context "valid branch name with encoded slashes" do
+        let(:branch) { "feature%2Ftest" }
+        let(:ref) { "<script>alert('ref');</script>" }
+        it { is_expected.to render_template('new') }
+        it { project.repository.branch_names.include?('feature/test') }
       end
     end
 
-    context "invalid branch name, valid ref" do
-      let(:branch) { "<script>alert('merge');</script>" }
-      let(:ref) { "master" }
+    describe "created from the new branch button on issues" do
+      let(:branch) { "1-feature-branch" }
+      let!(:issue) { create(:issue, project: project) }
+
+
       it 'redirects' do
+        post :create,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          branch_name: branch,
+          issue_iid: issue.iid
+
         expect(subject).
-          to redirect_to("/#{project.path_with_namespace}/tree/alert('merge');")
+          to redirect_to("/#{project.path_with_namespace}/tree/1-feature-branch")
       end
-    end
 
-    context "valid branch name, invalid ref" do
-      let(:branch) { "merge_branch" }
-      let(:ref) { "<script>alert('ref');</script>" }
-      it { is_expected.to render_template('new') }
-    end
+      it 'posts a system note' do
+        expect(SystemNoteService).to receive(:new_issue_branch).with(issue, project, user, "1-feature-branch")
 
-    context "invalid branch name, invalid ref" do
-      let(:branch) { "<script>alert('merge');</script>" }
-      let(:ref) { "<script>alert('ref');</script>" }
-      it { is_expected.to render_template('new') }
-    end
+        post :create,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          branch_name: branch,
+          issue_iid: issue.iid
+      end
 
-    context "valid branch name with encoded slashes" do
-      let(:branch) { "feature%2Ftest" }
-      let(:ref) { "<script>alert('ref');</script>" }
-      it { is_expected.to render_template('new') }
-      it { project.repository.branch_names.include?('feature/test')}
     end
   end
 
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index 76d56bc989d..2cd81231144 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -1,16 +1,16 @@
 require('spec_helper')
 
 describe Projects::IssuesController do
-  let(:project) { create(:project) }
-  let(:user)    { create(:user) }
-  let(:issue) { create(:issue, project: project) }
+  describe "GET #index" do
+    let(:project) { create(:project) }
+    let(:user) { create(:user) }
+    let(:issue) { create(:issue, project: project) }
 
-  before do
-    sign_in(user)
-    project.team << [user, :developer]
-  end
+    before do
+      sign_in(user)
+      project.team << [user, :developer]
+    end
 
-  describe "GET #index" do
     it "returns index" do
       get :index, namespace_id: project.namespace.path, project_id: project.path
 
@@ -38,6 +38,152 @@ describe Projects::IssuesController do
       get :index, namespace_id: project.namespace.path, project_id: project.path
       expect(response.status).to eq(404)
     end
+  end
+
+  describe 'Confidential Issues' do
+    let(:project) { create(:empty_project, :public) }
+    let(:assignee) { create(:assignee) }
+    let(:author) { create(:user) }
+    let(:non_member) { create(:user) }
+    let(:member) { create(:user) }
+    let(:admin) { create(:admin) }
+    let!(:issue) { create(:issue, project: project) }
+    let!(:unescaped_parameter_value) { create(:issue, :confidential, project: project, author: author) }
+    let!(:request_forgery_timing_attack) { create(:issue, :confidential, project: project, assignee: assignee) }
+
+    describe 'GET #index' do
+      it 'should not list confidential issues for guests' do
+        sign_out(:user)
+        get_issues
+
+        expect(assigns(:issues)).to eq [issue]
+      end
+
+      it 'should not list confidential issues for non project members' do
+        sign_in(non_member)
+        get_issues
+
+        expect(assigns(:issues)).to eq [issue]
+      end
+
+      it 'should list confidential issues for author' do
+        sign_in(author)
+        get_issues
+
+        expect(assigns(:issues)).to include unescaped_parameter_value
+        expect(assigns(:issues)).not_to include request_forgery_timing_attack
+      end
+
+      it 'should list confidential issues for assignee' do
+        sign_in(assignee)
+        get_issues
+
+        expect(assigns(:issues)).not_to include unescaped_parameter_value
+        expect(assigns(:issues)).to include request_forgery_timing_attack
+      end
+
+      it 'should list confidential issues for project members' do
+        sign_in(member)
+        project.team << [member, :developer]
+
+        get_issues
+
+        expect(assigns(:issues)).to include unescaped_parameter_value
+        expect(assigns(:issues)).to include request_forgery_timing_attack
+      end
+
+      it 'should list confidential issues for admin' do
+        sign_in(admin)
+        get_issues
+
+        expect(assigns(:issues)).to include unescaped_parameter_value
+        expect(assigns(:issues)).to include request_forgery_timing_attack
+      end
+
+      def get_issues
+        get :index,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param
+      end
+    end
 
+    shared_examples_for 'restricted action' do |http_status|
+      it 'returns 404 for guests' do
+        sign_out :user
+        go(id: unescaped_parameter_value.to_param)
+
+        expect(response).to have_http_status :not_found
+      end
+
+      it 'returns 404 for non project members' do
+        sign_in(non_member)
+        go(id: unescaped_parameter_value.to_param)
+
+        expect(response).to have_http_status :not_found
+      end
+
+      it "returns #{http_status[:success]} for author" do
+        sign_in(author)
+        go(id: unescaped_parameter_value.to_param)
+
+        expect(response).to have_http_status http_status[:success]
+      end
+
+      it "returns #{http_status[:success]} for assignee" do
+        sign_in(assignee)
+        go(id: request_forgery_timing_attack.to_param)
+
+        expect(response).to have_http_status http_status[:success]
+      end
+
+      it "returns #{http_status[:success]} for project members" do
+        sign_in(member)
+        project.team << [member, :developer]
+        go(id: unescaped_parameter_value.to_param)
+
+        expect(response).to have_http_status http_status[:success]
+      end
+
+      it "returns #{http_status[:success]} for admin" do
+        sign_in(admin)
+        go(id: unescaped_parameter_value.to_param)
+
+        expect(response).to have_http_status http_status[:success]
+      end
+    end
+
+    describe 'GET #show' do
+      it_behaves_like 'restricted action', success: 200
+
+      def go(id:)
+        get :show,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          id: id
+      end
+    end
+
+    describe 'GET #edit' do
+      it_behaves_like 'restricted action', success: 200
+
+      def go(id:)
+        get :edit,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          id: id
+      end
+    end
+
+    describe 'PUT #update' do
+      it_behaves_like 'restricted action', success: 302
+
+      def go(id:)
+        put :update,
+          namespace_id: project.namespace.to_param,
+          project_id: project.to_param,
+          id: id,
+          issue: { title: 'New title' }
+      end
+    end
   end
 end