Commit d332c8c7 authored by Douwe Maan's avatar Douwe Maan Committed by Michael Kozono

Merge branch '36679-non-authorized-user-may-see-wikis-or-pipeline-page' into 'security-10-2'

Fixes project visibility guidelines

See merge request gitlab/gitlabhq!2226

(cherry picked from commit 877c42c0aaf3298d6001614c9706bc366ae4014c)

e4fd1c26 Ensure project wiki visibility guidelines are met
parent 806a68a8
...@@ -272,7 +272,7 @@ class ProjectsController < Projects::ApplicationController ...@@ -272,7 +272,7 @@ class ProjectsController < Projects::ApplicationController
render 'projects/empty' if @project.empty_repo? render 'projects/empty' if @project.empty_repo?
else else
if @project.wiki_enabled? if can?(current_user, :read_wiki, @project)
@project_wiki = @project.wiki @project_wiki = @project.wiki
@wiki_home = @project_wiki.find_page('home', params[:version_id]) @wiki_home = @project_wiki.find_page('home', params[:version_id])
elsif @project.feature_available?(:issues, current_user) elsif @project.feature_available?(:issues, current_user)
......
...@@ -58,7 +58,7 @@ module PreferencesHelper ...@@ -58,7 +58,7 @@ module PreferencesHelper
user_view user_view
elsif user_view == "activity" elsif user_view == "activity"
"activity" "activity"
elsif @project.wiki_enabled? elsif can?(current_user, :read_wiki, @project)
"wiki" "wiki"
elsif @project.feature_available?(:issues, current_user) elsif @project.feature_available?(:issues, current_user)
"projects/issues/issues" "projects/issues/issues"
......
...@@ -58,6 +58,10 @@ FactoryGirl.define do ...@@ -58,6 +58,10 @@ FactoryGirl.define do
end end
end end
trait :readme do
project_view :readme
end
factory :omniauth_user do factory :omniauth_user do
transient do transient do
extern_uid '123456' extern_uid '123456'
......
...@@ -77,15 +77,6 @@ describe PreferencesHelper do ...@@ -77,15 +77,6 @@ describe PreferencesHelper do
end end
end end
def stub_user(messages = {})
if messages.empty?
allow(helper).to receive(:current_user).and_return(nil)
else
allow(helper).to receive(:current_user)
.and_return(double('user', messages))
end
end
describe '#default_project_view' do describe '#default_project_view' do
context 'user not signed in' do context 'user not signed in' do
before do before do
...@@ -125,5 +116,70 @@ describe PreferencesHelper do ...@@ -125,5 +116,70 @@ describe PreferencesHelper do
end end
end end
end end
context 'user signed in' do
let(:user) { create(:user, :readme) }
let(:project) { create(:project, :public, :repository) }
before do
helper.instance_variable_set(:@project, project)
allow(helper).to receive(:current_user).and_return(user)
end
context 'when the user is allowed to see the code' do
it 'returns the project view' do
allow(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
expect(helper.default_project_view).to eq('readme')
end
end
context 'with wikis enabled and the right policy for the user' do
before do
project.project_feature.update_attribute(:issues_access_level, 0)
allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
end
it 'returns wiki if the user has the right policy' do
allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(true)
expect(helper.default_project_view).to eq('wiki')
end
it 'returns customize_workflow if the user does not have the right policy' do
allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
expect(helper.default_project_view).to eq('customize_workflow')
end
end
context 'with issues as a feature available' do
it 'return issues' do
allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
expect(helper.default_project_view).to eq('projects/issues/issues')
end
end
context 'with no activity, no wikies and no issues' do
it 'returns customize_workflow as default' do
project.project_feature.update_attribute(:issues_access_level, 0)
allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
expect(helper.default_project_view).to eq('customize_workflow')
end
end
end
end
def stub_user(messages = {})
if messages.empty?
allow(helper).to receive(:current_user).and_return(nil)
else
allow(helper).to receive(:current_user)
.and_return(double('user', messages))
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment