Commit 756ba726 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot Committed by Robert Speicher

Merge branch 'security-12-4-filter-member-only-packages' into '12-4-stable-ee'

GroupPackageFinder to filter private repos

See merge request gitlab/gitlab-ee!1413
parent ac113694
......@@ -30,6 +30,8 @@ module Packages
::Project
.in_namespace(groups)
.public_or_visible_to_user(current_user, Gitlab::Access::REPORTER)
.with_project_feature
.select { |project| Ability.allowed?(current_user, :read_package, project) }
end
def package_type
......
---
title: Filter out packages the user does'nt have permission to see at group level
merge_request:
author:
type: security
......@@ -72,5 +72,40 @@ describe Packages::GroupPackagesFinder do
it { is_expected.to match_array([package1])}
end
context 'when project is public' do
set(:other_user) { create(:user) }
let(:finder) { described_class.new(other_user, group) }
before do
project.update!(visibility_level: ProjectFeature::ENABLED)
end
context 'when packages are public' do
before do
project.project_feature.update!(
builds_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
repository_access_level: ProjectFeature::ENABLED)
end
it 'returns group packages' do
expect(finder.execute).to match_array([package1, package2])
end
end
context 'packages are members only' do
before do
project.project_feature.update!(
builds_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
repository_access_level: ProjectFeature::PRIVATE)
end
it 'filters out the project if the user doesn\'t have permission' do
expect(finder.execute).to be_empty
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment