Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'

[master] Don't process MR refs for guests in the notes See merge request gitlab/gitlabhq!2771
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-25 16:43:55 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-25 16:43:55 +0000
commit: 2f0050fba988353109d216c2e89b475e04ca6f49 (patch)
tree: abe02a925c58e261b9fefe471e4748cc73f67c69 /spec
parent: 90e223353182e9288a0507bee7d0b1c9394fa0b7 (diff)
parent: 81fee3617ab9005aa07d31308630e17330b8fd8b (diff)
download: gitlab-ce-2f0050fba988353109d216c2e89b475e04ca6f49.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 7d567a67a41..6c854bab5a5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -12,7 +12,7 @@ describe ProjectPolicy do
   let(:base_guest_permissions) do
     %i[
       read_project read_board read_list read_wiki read_issue
-      read_project_for_iids read_issue_iid read_merge_request_iid read_label
+      read_project_for_iids read_issue_iid read_label
       read_milestone read_project_snippet read_project_member read_note
       create_project create_issue create_note upload_file create_merge_request_in
       award_emoji read_release
@@ -164,6 +164,16 @@ describe ProjectPolicy do
     end
   end
 
+  context 'for a guest in a private project' do
+    let(:project) { create(:project, :private) }
+    subject { described_class.new(guest, project) }
+
+    it 'disallows the guest from reading the merge request and merge request iid' do
+      expect_disallowed(:read_merge_request)
+      expect_disallowed(:read_merge_request_iid)
+    end
+  end
+
   context 'builds feature' do
     subject { described_class.new(owner, project) }
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-25 16:43:55 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-25 16:43:55 +0000
commit	2f0050fba988353109d216c2e89b475e04ca6f49 (patch)
tree	abe02a925c58e261b9fefe471e4748cc73f67c69 /spec
parent	90e223353182e9288a0507bee7d0b1c9394fa0b7 (diff)
parent	81fee3617ab9005aa07d31308630e17330b8fd8b (diff)
download	gitlab-ce-2f0050fba988353109d216c2e89b475e04ca6f49.tar.gz