Merge branch 'security-branch-permissions' into 'master'

Check permissions for find_file_path

Closes #103

See merge request gitlab-org/security/gitlab!392

app/helpers/projects_helper.rb

@@ -625,6 +625,7 @@ module ProjectsHelper
 
   def find_file_path
     return unless @project && !@project.empty_repo?
+    return unless can?(current_user, :download_code, @project)
 
     ref = @ref || @project.repository.root_ref
 

changelogs/unreleased/security-branch-permissions.yml

+---
+title: Prevent unauthorized access to default branch
+merge_request:
+author:
+type: security

spec/helpers/application_helper_spec.rb

@@ -280,11 +280,16 @@ describe ApplicationHelper do
     end
 
     context 'when @project is set' do
-      it 'includes all possible body data elements and associates the project elements with project' do
-        project = create(:project)
+      let_it_be(:project) { create(:project, :repository) }
+      let_it_be(:user) { create(:user) }
 
+      before do
         assign(:project, project)
+        allow(helper).to receive(:current_user).and_return(nil)
+      end
 
+      it 'includes all possible body data elements and associates the project elements with project' do
+        expect(helper).to receive(:can?).with(nil, :download_code, project)
         expect(helper.body_data).to eq(
           {
             page: 'application',
@@ -305,12 +310,11 @@ describe ApplicationHelper do
 
         context 'when params[:id] is present and the issue exsits and action_name is show' do
           it 'sets all project and id elements correctly related to the issue' do
-            issue = create(:issue)
+            issue = create(:issue, project: project)
             stub_controller_method(:action_name, 'show')
             stub_controller_method(:params, { id: issue.id })
 
-            assign(:project, issue.project)
-
+            expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
             expect(helper.body_data).to eq(
               {
                 page: 'projects:issues:show',
@@ -325,6 +329,15 @@ describe ApplicationHelper do
           end
         end
       end
+
+      context 'when current_user has download_code permission' do
+        it 'returns find_file with the default branch' do
+          allow(helper).to receive(:current_user).and_return(user)
+
+          expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+          expect(helper.body_data[:find_file]).to end_with(project.default_branch)
+        end
+      end
     end
 
     def stub_controller_method(method_name, value)