Merge branch 'security-starred-projects-private-profile' into 'master'

Hide starred & contributed projects of users with private profile See merge request gitlab-org/security/gitlab!1063

Merge branch 'security-starred-projects-private-profile' into 'master'
Hide starred & contributed projects of users with private profile See merge request gitlab-org/security/gitlab!1063
673ff06e · GitLab Release Tools Bot · db1314b8 · e93aeb3d · 673ff06e · 673ff06e
Commit 673ff06e authored Dec 01, 2020 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -19,7 +19,7 @@ class UsersController < ApplicationController
  prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
  before_action :user, except: [:exists, :suggests]
  before_action :authorize_read_user_profile!,
-                only: [:calendar, :calendar_activities, :groups, :projects, :contributed_projects, :starred_projects, :snippets]
+                only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets]

  feature_category :users


--- a/changelogs/unreleased/security-starred-projects-private-profile.yml
+++ b/changelogs/unreleased/security-starred-projects-private-profile.yml
+---
+title: Do not show starred & contributed projects of users with private profile
+merge_request:
+author:
+type: security
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -354,32 +354,99 @@ RSpec.describe UsersController do

  describe 'GET #contributed' do
    let(:project) { create(:project, :public) }
-    let(:current_user) { create(:user) }
+
+    subject do
+      get :contributed, params: { username: author.username }, format: format
+    end

    before do
-      sign_in(current_user)
+      sign_in(user)

      project.add_developer(public_user)
      project.add_developer(private_user)
+      create(:push_event, project: project, author: author)
+
+      subject
    end

-    context 'with public profile' do
+    shared_examples_for 'renders contributed projects' do
      it 'renders contributed projects' do
-        create(:push_event, project: project, author: public_user)
+        expect(assigns[:contributed_projects]).not_to be_empty
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end

-        get :contributed, params: { username: public_user.username }
+    %i(html json).each do |format|
+      context "format: #{format}" do
+        let(:format) { format }

-        expect(assigns[:contributed_projects]).not_to be_empty
+        context 'with public profile' do
+          let(:author) { public_user }
+
+          it_behaves_like 'renders contributed projects'
+        end
+
+        context 'with private profile' do
+          let(:author) { private_user }
+
+          it 'returns 404' do
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+
+          context 'with a user that has the ability to read private profiles', :enable_admin_mode do
+            let(:user) { create(:admin) }
+
+            it_behaves_like 'renders contributed projects'
+          end
+        end
+      end
+    end
+  end
+
+  describe 'GET #starred' do
+    let(:project) { create(:project, :public) }
+
+    subject do
+      get :starred, params: { username: author.username }, format: format
+    end
+
+    before do
+      author.toggle_star(project)
+
+      sign_in(user)
+      subject
+    end
+
+    shared_examples_for 'renders starred projects' do
+      it 'renders starred projects' do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(assigns[:starred_projects]).not_to be_empty
      end
    end

-    context 'with private profile' do
-      it 'does not render contributed projects' do
-        create(:push_event, project: project, author: private_user)
+    %i(html json).each do |format|
+      context "format: #{format}" do
+        let(:format) { format }
+
+        context 'with public profile' do
+          let(:author) { public_user }
+
+          it_behaves_like 'renders starred projects'
+        end
+
+        context 'with private profile' do
+          let(:author) { private_user }
+
+          it 'returns 404' do
+            expect(response).to have_gitlab_http_status(:not_found)
+          end

-        get :contributed, params: { username: private_user.username }
+          context 'with a user that has the ability to read private profiles', :enable_admin_mode do
+            let(:user) { create(:admin) }

-        expect(assigns[:contributed_projects]).to be_empty
+            it_behaves_like 'renders starred projects'
+          end
+        end
      end
    end
  end