From 29d8b4ee72c28ade5006f3f1343402782c38b231 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Mon, 3 Apr 2017 18:47:14 +0000
Subject: Merge branch '29364-private-projects-mr-fix'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don’t show source project name when user does not have access

See merge request !2081
---
 spec/features/merge_requests/create_new_mr_spec.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'spec/features/merge_requests')

diff --git a/spec/features/merge_requests/create_new_mr_spec.rb b/spec/features/merge_requests/create_new_mr_spec.rb
index f36781167fb..d4fe67c224f 100644
--- a/spec/features/merge_requests/create_new_mr_spec.rb
+++ b/spec/features/merge_requests/create_new_mr_spec.rb
@@ -70,6 +70,18 @@ feature 'Create New Merge Request', feature: true, js: true do
       visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
 
       expect(page).not_to have_content private_project.path_with_namespace
+      expect(page).to have_content project.path_with_namespace
+    end
+  end
+
+  context 'when source project cannot be viewed by the current user' do
+    it 'does not leak the private project name & namespace' do
+      private_project = create(:project, :private)
+
+      visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { source_project_id: private_project.id })
+
+      expect(page).not_to have_content private_project.path_with_namespace
+      expect(page).to have_content project.path_with_namespace
     end
   end
 
-- 
cgit v1.2.1