Commit d9114c15 authored by Robert Speicher's avatar Robert Speicher Committed by Robert Speicher

Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'

Prevent information disclosure via milestone API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579

See merge request !1961
parent b6b7bb53
...@@ -87,7 +87,15 @@ module API ...@@ -87,7 +87,15 @@ module API
authorize! :read_milestone, user_project authorize! :read_milestone, user_project
@milestone = user_project.milestones.find(params[:milestone_id]) @milestone = user_project.milestones.find(params[:milestone_id])
present paginate(@milestone.issues), with: Entities::Issue
finder_params = {
project_id: user_project.id,
milestone_title: @milestone.title,
state: 'all'
}
issues = IssuesFinder.new(current_user, finder_params).execute
present paginate(issues), with: Entities::Issue, current_user: current_user
end end
end end
......
...@@ -106,7 +106,7 @@ describe API::API, api: true do ...@@ -106,7 +106,7 @@ describe API::API, api: true do
describe 'GET /projects/:id/milestones/:milestone_id/issues' do describe 'GET /projects/:id/milestones/:milestone_id/issues' do
before do before do
milestone.issues << create(:issue) milestone.issues << create(:issue, project: project)
end end
it 'should return project issues for a particular milestone' do it 'should return project issues for a particular milestone' do
get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user) get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user)
...@@ -119,5 +119,34 @@ describe API::API, api: true do ...@@ -119,5 +119,34 @@ describe API::API, api: true do
get api("/projects/#{project.id}/milestones/#{milestone.id}/issues") get api("/projects/#{project.id}/milestones/#{milestone.id}/issues")
expect(response.status).to eq(401) expect(response.status).to eq(401)
end end
describe 'confidential issues' do
let(:public_project) { create(:project, :public) }
let(:milestone) { create(:milestone, project: public_project) }
let(:issue) { create(:issue, project: public_project) }
let(:confidential_issue) { create(:issue, confidential: true, project: public_project) }
before do
public_project.team << [user, :developer]
milestone.issues << issue << confidential_issue
end
it 'returns confidential issues to team members' do
get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user)
expect(response.status).to eq(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(2)
expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id)
end
it 'does not return confidential issues to regular users' do
get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", create(:user))
expect(response.status).to eq(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
expect(json_response.map { |issue| issue['id'] }).to include(issue.id)
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment