From a0fde4af8e107fbd9acb498e4bc96eb18a0f9d29 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 29 Apr 2022 08:21:56 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee

---
 spec/requests/api/markdown_spec.rb | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

(limited to 'spec/requests/api/markdown_spec.rb')

diff --git a/spec/requests/api/markdown_spec.rb b/spec/requests/api/markdown_spec.rb
index 0488bce4663..47e1f007daa 100644
--- a/spec/requests/api/markdown_spec.rb
+++ b/spec/requests/api/markdown_spec.rb
@@ -156,6 +156,46 @@ RSpec.describe API::Markdown do
             end
           end
         end
+
+        context 'with a public project and issues only for team members' do
+          let(:public_project) do
+            create(:project, :public).tap do |project|
+              project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
+            end
+          end
+
+          let(:issue)  { create(:issue, project: public_project, title: 'Team only title') }
+          let(:text)   { "#{issue.to_reference}" }
+          let(:params) { { text: text, gfm: true, project: public_project.full_path } }
+
+          shared_examples 'user without proper access' do
+            it 'does not render the title' do
+              expect(response).to have_gitlab_http_status(:created)
+              expect(json_response["html"]).not_to include('Team only title')
+            end
+          end
+
+          context 'when not logged in' do
+            let(:user) { }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as user without access' do
+            let(:user) { create(:user) }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as author' do
+            let(:user) { issue.author }
+
+            it 'renders the title or link' do
+              expect(response).to have_gitlab_http_status(:created)
+              expect(json_response["html"]).to include('Team only title')
+            end
+          end
+        end
       end
     end
   end
-- 
cgit v1.2.1