Merge branch '36679-non-authorized-user-may-see-wikis-or-pipeline-page' into 'security-10-2'

Fixes project visibility guidelines

See merge request gitlab/gitlabhq!2226

(cherry picked from commit 877c42c0aaf3298d6001614c9706bc366ae4014c)

e4fd1c26 Ensure project wiki visibility guidelines are met

app/controllers/projects_controller.rb

@@ -272,7 +272,7 @@ class ProjectsController < Projects::ApplicationController
 
       render 'projects/empty' if @project.empty_repo?
     else
-      if @project.wiki_enabled?
+      if can?(current_user, :read_wiki, @project)
         @project_wiki = @project.wiki
         @wiki_home = @project_wiki.find_page('home', params[:version_id])
       elsif @project.feature_available?(:issues, current_user)

app/helpers/preferences_helper.rb

@@ -58,7 +58,7 @@ module PreferencesHelper
       user_view
     elsif user_view == "activity"
       "activity"
-    elsif @project.wiki_enabled?
+    elsif can?(current_user, :read_wiki, @project)
       "wiki"
     elsif @project.feature_available?(:issues, current_user)
       "projects/issues/issues"

spec/factories/users.rb

@@ -58,6 +58,10 @@ FactoryGirl.define do
       end
     end
 
+    trait :readme do
+      project_view :readme
+    end
+
     factory :omniauth_user do
       transient do
         extern_uid '123456'

spec/helpers/preferences_helper_spec.rb

@@ -77,15 +77,6 @@ describe PreferencesHelper do
     end
   end
 
-  def stub_user(messages = {})
-    if messages.empty?
-      allow(helper).to receive(:current_user).and_return(nil)
-    else
-      allow(helper).to receive(:current_user)
-        .and_return(double('user', messages))
-    end
-  end
-
   describe '#default_project_view' do
     context 'user not signed in' do
       before do
@@ -125,5 +116,70 @@ describe PreferencesHelper do
         end
       end
     end
+
+    context 'user signed in' do
+      let(:user) { create(:user, :readme) }
+      let(:project) { create(:project, :public, :repository) }
+
+      before do
+        helper.instance_variable_set(:@project, project)
+        allow(helper).to receive(:current_user).and_return(user)
+      end
+
+      context 'when the user is allowed to see the code' do
+        it 'returns the project view' do
+          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+
+          expect(helper.default_project_view).to eq('readme')
+        end
+      end
+
+      context 'with wikis enabled and the right policy for the user' do
+        before do
+          project.project_feature.update_attribute(:issues_access_level, 0)
+          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
+        end
+
+        it 'returns wiki if the user has the right policy' do
+          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(true)
+
+          expect(helper.default_project_view).to eq('wiki')
+        end
+
+        it 'returns customize_workflow if the user does not have the right policy' do
+          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(helper.default_project_view).to eq('customize_workflow')
+        end
+      end
+
+      context 'with issues as a feature available' do
+        it 'return issues' do
+          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
+          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(helper.default_project_view).to eq('projects/issues/issues')
+        end
+      end
+
+      context 'with no activity, no wikies and no issues' do
+        it 'returns customize_workflow as default' do
+          project.project_feature.update_attribute(:issues_access_level, 0)
+          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
+          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(helper.default_project_view).to eq('customize_workflow')
+        end
+      end
+    end
+  end
+
+  def stub_user(messages = {})
+    if messages.empty?
+      allow(helper).to receive(:current_user).and_return(nil)
+    else
+      allow(helper).to receive(:current_user)
+        .and_return(double('user', messages))
+    end
   end
 end