Commit b6424b37 authored by Patrick Derichs's avatar Patrick Derichs

Fix confidential issue label disclosure on milestone view

Add changelog entry

Method should be public

Use milestonish method

Use render data to filter labels

Add specs for label visibility on milestone
parent b02fca96
...@@ -26,16 +26,22 @@ module MilestoneActions ...@@ -26,16 +26,22 @@ module MilestoneActions
end end
end end
# rubocop:disable Gitlab/ModuleWithInstanceVariables
def labels def labels
respond_to do |format| respond_to do |format|
format.html { redirect_to milestone_redirect_path } format.html { redirect_to milestone_redirect_path }
format.json do format.json do
milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
render json: tabs_json("shared/milestones/_labels_tab", { render json: tabs_json("shared/milestones/_labels_tab", {
labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables labels: milestone_labels.map do |label|
label.present(issuable_subject: @milestone.parent)
end
}) })
end end
end end
end end
# rubocop:enable Gitlab/ModuleWithInstanceVariables
private private
......
---
title: Fix confidential issue label disclosure on milestone view
merge_request:
author:
type: security
...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do ...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
end end
end end
describe '#labels' do
render_views
context 'as json' do
let!(:guest) { create(:user, username: 'guest1') }
let!(:group) { create(:group, :public) }
let!(:project) { create(:project, :public, group: group) }
let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
it 'does not render labels of private issues if user has no access' do
sign_in(guest)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).not_to include(label.title)
end
it 'does render labels of private issues if user has access' do
sign_in(user)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).to include(label.title)
end
end
end
context 'promotion succeeds' do context 'promotion succeeds' do
before do before do
group.add_developer(user) group.add_developer(user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment