Commit d8f620be authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-215175-filter-merge-participants' into 'master'

Check access when sending TODOs related to merge requests

Closes #177

See merge request gitlab-org/security/gitlab!667
parents 757ee605 e6c70a58
...@@ -517,7 +517,7 @@ class MergeRequest < ApplicationRecord ...@@ -517,7 +517,7 @@ class MergeRequest < ApplicationRecord
participants << merge_user participants << merge_user
end end
participants participants.select { |participant| Ability.allowed?(participant, :read_merge_request, self) }
end end
def first_commit def first_commit
......
---
title: Check access when sending TODOs related to merge requests
merge_request:
author:
type: security
...@@ -3661,7 +3661,7 @@ RSpec.describe MergeRequest do ...@@ -3661,7 +3661,7 @@ RSpec.describe MergeRequest do
describe '#merge_participants' do describe '#merge_participants' do
it 'contains author' do it 'contains author' do
expect(subject.merge_participants).to eq([subject.author]) expect(subject.merge_participants).to contain_exactly(subject.author)
end end
describe 'when merge_when_pipeline_succeeds? is true' do describe 'when merge_when_pipeline_succeeds? is true' do
...@@ -3675,8 +3675,20 @@ RSpec.describe MergeRequest do ...@@ -3675,8 +3675,20 @@ RSpec.describe MergeRequest do
author: user) author: user)
end end
it 'contains author only' do context 'author is not a project member' do
expect(subject.merge_participants).to eq([subject.author]) it 'is empty' do
expect(subject.merge_participants).to be_empty
end
end
context 'author is a project member' do
before do
subject.project.team.add_reporter(user)
end
it 'contains author only' do
expect(subject.merge_participants).to contain_exactly(subject.author)
end
end end
end end
...@@ -3689,8 +3701,24 @@ RSpec.describe MergeRequest do ...@@ -3689,8 +3701,24 @@ RSpec.describe MergeRequest do
merge_user: merge_user) merge_user: merge_user)
end end
it 'contains author and merge user' do before do
expect(subject.merge_participants).to eq([subject.author, merge_user]) subject.project.team.add_reporter(subject.author)
end
context 'merge user is not a member' do
it 'contains author only' do
expect(subject.merge_participants).to contain_exactly(subject.author)
end
end
context 'both author and merge users are project members' do
before do
subject.project.team.add_reporter(merge_user)
end
it 'contains author and merge user' do
expect(subject.merge_participants).to contain_exactly(subject.author, merge_user)
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment