Commit 6fcef956 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-filter-member-only-packages-master' into 'master'

GroupPackageFinder to filter private repos

Closes gitlabhq#2929

See merge request gitlab/gitlab-ee!1348
parents 46c21997 5307ccec
...@@ -30,6 +30,8 @@ module Packages ...@@ -30,6 +30,8 @@ module Packages
::Project ::Project
.in_namespace(groups) .in_namespace(groups)
.public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER)
.with_project_feature
.select { |project| Ability.allowed?(current_user, :read_package, project) }
end end
def package_type def package_type
......
---
title: Filter out packages the user does'nt have permission to see at group level
merge_request:
author:
type: security
...@@ -72,5 +72,47 @@ describe Packages::GroupPackagesFinder do ...@@ -72,5 +72,47 @@ describe Packages::GroupPackagesFinder do
it { is_expected.to match_array([package1])} it { is_expected.to match_array([package1])}
end end
context 'when project is public' do
set(:other_user) { create(:user) }
let(:finder) { described_class.new(other_user, group) }
before do
project.update!(visibility_level: ProjectFeature::ENABLED)
end
context 'when packages are public' do
before do
project.project_feature.update!(
builds_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
repository_access_level: ProjectFeature::ENABLED)
end
it 'returns group packages' do
package1 = create(:maven_package, project: project)
package2 = create(:maven_package, project: project)
create(:maven_package)
expect(finder.execute).to match_array([package1, package2])
end
end
context 'packages are members only' do
before do
project.project_feature.update!(
builds_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
repository_access_level: ProjectFeature::PRIVATE)
create(:maven_package, project: project)
create(:maven_package)
end
it 'filters out the project if the user doesn\'t have permission' do
expect(finder.execute).to be_empty
end
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment