Skip to content

G
gitlab-ce
Commit a5594b08 authored by Pavel Shutsin's avatar Pavel Shutsin
Browse files
Options

Hide private group name when access request is denied 

When user's access request is denied and the user
has no access to read target group\project
then we shouldn't expose group\project name
in notification email.

Changelog: changed
parent 6f4d35be
Hide whitespace changes
Inline Side-by-side
Showing with 38 additions and 12 deletions
app/mailers/emails/members.rb
View file @ a5594b08
......@@ -43,9 +43,13 @@ module Emails
user = User.find(user_id)
@source_hidden = !member_source.readable_by?(user)
human_name = @source_hidden ? 'Hidden' : member_source.human_name
member_email_with_layout(
to: user.notification_email_for(notification_group),
subject: subject("Access to the #{member_source.human_name} #{member_source.model_name.singular} was denied"))
subject: subject("Access to the #{human_name} #{member_source.model_name.singular} was denied"))
end
def member_invited_email(member_source_type, member_id, token)
......
app/views/notify/member_access_denied_email.html.haml
View file @ a5594b08
......@@ -2,6 +2,11 @@
%td.text-content
%p
Your request to join the
#{link_to member_source.human_name, member_source.web_url, class: :highlight} #{member_source.model_name.singular}
has been #{content_tag :span, 'denied', class: :highlight}.
- if @source_hidden
#{content_tag :span, 'Hidden', class: :highlight}
- else
#{link_to member_source.human_name, member_source.web_url, class: :highlight}
#{member_source.model_name.singular} has been #{content_tag :span, 'denied', class: :highlight}.
spec/mailers/notify_spec.rb
View file @ a5594b08
......@@ -720,11 +720,8 @@ RSpec.describe Notify do
end
describe 'project access denied' do
let(:project) { create(:project, :public) }
let(:project_member) do
project.request_access(user)
project.requesters.find_by(user_id: user.id)
end
let_it_be(:project) { create(:project, :public) }
let_it_be(:project_member) { create(:project_member, :developer, :access_request, user: user, source: project) }
subject { described_class.member_access_denied_email('project', project.id, user.id) }
......@@ -739,6 +736,17 @@ RSpec.describe Notify do
is_expected.to have_body_text project.full_name
is_expected.to have_body_text project.web_url
end
context 'when user can not read project' do
let_it_be(:project) { create(:project, :private) }
it 'hides project name from subject and body' do
is_expected.to have_subject "Access to the Hidden project was denied"
is_expected.to have_body_text "Hidden project"
is_expected.not_to have_body_text project.full_name
is_expected.not_to have_body_text project.web_url
end
end
end
describe 'project access changed' do
......@@ -1351,10 +1359,8 @@ RSpec.describe Notify do
end
describe 'group access denied' do
let(:group_member) do
group.request_access(user)
group.requesters.find_by(user_id: user.id)
end
let_it_be(:group) { create(:group, :public) }
let_it_be(:group_member) { create(:group_member, :developer, :access_request, user: user, source: group) }
let(:recipient) { user }
......@@ -1372,6 +1378,17 @@ RSpec.describe Notify do
is_expected.to have_body_text group.name
is_expected.to have_body_text group.web_url
end
context 'when user can not read group' do
let_it_be(:group) { create(:group, :private) }
it 'hides group name from subject and body' do
is_expected.to have_subject "Access to the Hidden group was denied"
is_expected.to have_body_text "Hidden group"
is_expected.not_to have_body_text group.name
is_expected.not_to have_body_text group.web_url
end
end
end
describe 'group access changed' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7