Commit c7ee6535 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-2920-fix-notes-with-label-cross-reference' into 'master'

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3419
parents 077f2c6c 4d8ed01b
...@@ -13,7 +13,9 @@ module Mentionable ...@@ -13,7 +13,9 @@ module Mentionable
def self.other_patterns def self.other_patterns
[ [
Commit.reference_pattern, Commit.reference_pattern,
MergeRequest.reference_pattern MergeRequest.reference_pattern,
Label.reference_pattern,
Milestone.reference_pattern
] ]
end end
......
...@@ -10,6 +10,7 @@ class SystemNoteMetadata < ApplicationRecord ...@@ -10,6 +10,7 @@ class SystemNoteMetadata < ApplicationRecord
commit cross_reference commit cross_reference
close duplicate close duplicate
moved merge moved merge
label milestone
].freeze ].freeze
ICON_TYPES = %w[ ICON_TYPES = %w[
......
---
title: Show cross-referenced label and milestones in issues' activities only to authorized users
merge_request:
author:
type: security
...@@ -379,6 +379,63 @@ describe Note do ...@@ -379,6 +379,63 @@ describe Note do
expect(label_note.cross_reference?).to be_falsy expect(label_note.cross_reference?).to be_falsy
end end
end end
context 'when system note metadata is not present' do
let(:note) { build(:note, :system) }
before do
allow(note).to receive(:system_note_metadata).and_return(nil)
end
it 'delegates to the system note service' do
expect(SystemNotes::IssuablesService).to receive(:cross_reference?).with(note.note)
note.cross_reference?
end
end
context 'with a system note' do
let(:issue) { create(:issue, project: create(:project, :repository)) }
let(:note) { create(:system_note, note: "test", noteable: issue, project: issue.project) }
shared_examples 'system_note_metadata includes note action' do
it 'delegates to the cross-reference regex' do
expect(note).to receive(:matches_cross_reference_regex?)
note.cross_reference?
end
end
context 'with :label action' do
let!(:metadata) {create(:system_note_metadata, note: note, action: :label)}
it_behaves_like 'system_note_metadata includes note action'
it { expect(note.cross_reference?).to be_falsy }
context 'with cross reference label note' do
let(:label) { create(:label, project: issue.project)}
let(:note) { create(:system_note, note: "added #{label.to_reference} label", noteable: issue, project: issue.project) }
it { expect(note.cross_reference?).to be_truthy }
end
end
context 'with :milestone action' do
let!(:metadata) {create(:system_note_metadata, note: note, action: :milestone)}
it_behaves_like 'system_note_metadata includes note action'
it { expect(note.cross_reference?).to be_falsy }
context 'with cross reference milestone note' do
let(:milestone) { create(:milestone, project: issue.project)}
let(:note) { create(:system_note, note: "added #{milestone.to_reference} milestone", noteable: issue, project: issue.project) }
it { expect(note.cross_reference?).to be_truthy }
end
end
end
end end
describe 'clear_blank_line_code!' do describe 'clear_blank_line_code!' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment